Re: AV/FW Adoption Sudies

[Eric Rescorla <ekr () rtfm com>]

Valdis.Kletnieks () vt edu writes:

> On Thu, 10 Jun 2004 11:54:31 PDT, Eric Rescorla said:
>
> > My hypothesis is that the sets of bugs independently found by white
> > hats and black hats are basically disjoint. So, you'd definitely
> > expect that there were bugs found by the black hats and then used as
> > zero-days and eventually leaked to the white hats. So, what you
> > describe above is pretty much what one would expect.
>
> Well.. for THAT scenario to happen, two things have to be true:
>
> 1) Black hats are able to find bugs too
>
> 2) The white hats aren't as good at finding bugs as we might think,
> because some of their finds are leaked 0-days rather than their own work,
> inflating their numbers.

Both of these seem fairly likely to me. I've certainly seen
white hat bug reports that are clearly from leaks (i.e. where
they acknowledge that openly).

> Remember what you said:
>
> > relatively small. If we assume that the black hats aren't vastly more
> > capable than the white hats, then it seems reasonable to believe that
> > the probability of the black hats having found any particular
> > vulnerability is also relatively small.
>
> More likely, the software actually leaks like a sieve, and NEITHER group
> has even scratched the surface..

That's more or less what I believe the situation to be, yes.

I'm not sure we disagree. All I was saying was that I don't
think we have a good reason to believe that the average bug
found independently by a white hat is already known to a
black hat. Do you disagree?

-Ekr