Say there are 10,000 unique vulnerabilities in your population (i.e. the group of resources that you care about). You have no knowledge of who/what/where/when an attacker will find a vulnerability and attack your environment. At this point, the rational security professional should assign equal probability that any one of these vulnerabilities will be exploited – 1/10,000 for each. Because of this equal probability, you decide to deploy your protection scheme so that you cover your assets as broadly as possible. In these cases, you should probably focus on trust-based mechanisms and anomaly detection techniques for protection. You should also be actively assessing new techniques to get better at this broad level of protection.

Now, a bugfinder finds a vulnerability and, amidst a lot of soul searching, chest thumping, and quixotic whining, s/he releases it to the world in the interest of doing good, sometimes with PoC code in the interests of doing even more good. That means 1 vulnerability is accounted for, and the other 9,999 are still out there. How should you allocate your resources to protect against this known vulnerability?

We already know the answer to this – everybody flocks to actions protecting against the known vulnerability by patching their systems, and then when everything is patched we breathe a sigh of relief, completely ignoring the other 9,999 vulnerabilities that are still out there. This action is both warranted in some respects and misguided in others.

Many bugfinders refute the notion that threat increases with discovery and disclosure of bugs, but if my assumptions are right (please feel free to tell me where they are wrong), the only reason to treat this vulnerability differently is because the threat increases. If history is any guide, disclosure increases the threat drastically since there have been thousands of exploits against these known vulnerabilities and only about twenty exploits against undercover vulnerabilities.

One of you out there is probably saying "that is because we do such a good job" which is kind of silly because 1) there has been no reduction in the number of vulnerabilities disclosed over time; 2) given the number of vulnerabilities out there, there is no reason to believe that good guys would find the same vulns as bad guys, and vice versa (the closest data I know of shows about 7% rediscovery rate with no attempt to determine hat color); and 3) there are more new vulnerabilities being created every day by programmers than there are vulnerabilities being discovered and patched.

Given the history, it isn’t completely crazy to want to protect against the known vulnerabilities, but it certainly calls into question why we do this to ourselves to begin with. And, more importantly, it overweights the emphasis (i.e. resource allocation) on a single vulnerability even though we know (in a "known unknown" sort of way) that there are 9,999 more vulnerabilities that could be exploited.

I am going to go out on a limb and suggest that if we really want to make a difference here, we are going to have to find and patch ten times more vulnerabilities than we currently are finding.

Else, we’ll need to consider the multitude of alternate techniques out there to protect ourselves.

Don’t forget about the other 9,999.