Two decades ago, economist Steven Levitt and New York Times reporter Stephen Dubner published "Freakonomics," a book that applied economic principles to various social phenomena. They argued that understanding how people make decisions requires examining the incentives they respond to. Using a range of sociological examples, they demonstrated how incentives can lead to unexpected and sometimes counterproductive outcomes.
Reflecting on these unintended consequences brings to mind a growing issue in cybersecurity: the rapid increase in software vulnerabilities tracked as Common Vulnerabilities and Exposures (CVEs). Last year, a record 28,902 CVEs were published, averaging nearly 80 vulnerabilities per day—a 15% rise from 2022.
These software flaws are costly, with two-thirds of security organizations reporting an average backlog of over 100,000 vulnerabilities and patching fewer than half. The surge in CVEs is partly because we’ve improved at discovering vulnerabilities, and partly due to inadequate safeguards in the creation and tracking mechanisms for CVEs. It’s crucial to consider the incentive structure that motivates the identification and assignment of vulnerabilities.
While the system for assigning and scoring CVEs is widely used, it has significant flaws. Established by MITRE in 1999, the CVE system provides a standardized method for identifying and cataloguing software vulnerabilities, helping organizations prioritize and mitigate them. However, the incentive mechanisms behind CVE assignment and scoring present challenges that can undermine this system’s effectiveness.
Some security researchers seek a reputation within the cybersecurity community by gaming the CVE system. This drive for recognition or professional advancement can result in a focus on the quantity over quality of submissions, cluttering the system with trivial or noncritical issues and diverting attention from more severe vulnerabilities. The ability to file CVEs anonymously or with minimal evidence also introduces opacity, allowing for erroneous, exaggerated, or malicious submissions. This lack of accountability necessitates rigorous verification processes to maintain trust in the system.
The Common Vulnerability Scoring System (CVSS) has been criticized for not accurately reflecting the actual risk posed by vulnerabilities in real-world environments. High-scoring vulnerabilities may receive undue attention, while more critical, exploitable flaws in specific contexts are deprioritized. For instance, security researcher Dan Lorenc highlighted a day when 138 CVEs were published, two with a critical priority score of 9.8, but none were true vulnerabilities. This raises the question: Are we seeing more CVEs because there are more vulnerabilities, or because the rewards for reporting them have increased?
To address these issues, we need to rethink the incentive structure of CVE reporting. Here are some suggestions:
1. Reward quality over quantity: Implement rewards based on the quality and impact of reported vulnerabilities, encouraging researchers to focus on significant exploits rather than sheer numbers.
2. Enhance verification and accountability: Introduce a tiered verification process requiring substantial proof of a vulnerability’s existence and impact before assigning a CVE, while still protecting researchers' identities.
3. Redefine CVSS to reflect real-world risk: Revamp the CVSS to better indicate real-world risk and exploitability, possibly incorporating feedback from organizations that have experienced exploit attempts.
Incentives play a crucial role in motivating the discovery and disclosure of vulnerabilities. To address the current issues in CVE reporting, we must reconsider how incentives shape behaviour. Until then, we can expect another record-breaking year for CVEs.
