| Abstract: |
In economic models of cybersecurity, security investment yields positive, but diminishing, returns. If that were true for software vulnerabilities, fix rates should decrease, whereas the time
between successive fixes should go up as vulnerabilities become fewer and harder to fix. In this work, we examine the empirical evidence for this hypothesis for Mozilla, Apache httpd and Apache
Tomcat over the last years. By looking at 292 vulnerability reports for Mozilla, 66 for Apache, and 21 for Tomcat, we find that the number of people committing vulnerability fixes changes
proportionally to the number of vulnerability fixes for Mozilla and Tomcat, but not for Apache httpd. Our findings do not support the hypothesis that vulnerability fix rates decline. It seems as
if the supply of easily fixable vulnerabilities is not running out and returns are not diminishing (yet). Additionally, software security has traditionally been viewed as an arms race between an
attackers and defenders. Recent work in an unrelated field has produced precise mathematical models for such arms races, but again, the evidence we find is scant and does not support the
hypothesis of an arms race (of this kind). |
