Is finding security holes a good idea?
Eric Rescorla
RTFM, Inc.
Fourth version: February 7, 2005
A large amount
of effort is expended every year on finding and patching
security holes. The underlying rationale for this activity
is that it increases welfare by decreasing the number of
bugs available for discovery and exploitation by bad guys, thus
reducing the total cost of intrusions. Given the amount
of effort expended, we would expect to see noticeable
results in terms of improved software quality.
However, our investigation does not support a substantial
quality improvement--the data does not allow us
to exclude the possibility
that the rate of bug finding in any given piece of software
is constant over long periods of time.
If there is little or no quality improvement, then we have
no reason to believe that that the disclosure of bugs reduces
the overall cost of intrusions.
Full paper in PDF and PS
RTFM Home Page