OTI Releases New Primer on Software Vulnerabilities

Press Release
July 28, 2016

Today, New America’s Open Technology Institute (OTI) releases Bugs in the System: A Primer on the Software Vulnerability Ecosystem and its Policy Implications. This primer starts with the basics, explaining what vulnerabilities are, how they are found, and how they are patched. It takes a look at the obstacles - from bad actors to policy hurdles - that hinder the discovery and repair of vulnerabilities and explains the impact they have on economic stability, national security, and consumer privacy. The report concludes with proposed guidance for policymakers on how to ensure that vulnerabilities are discovered and patched sooner, including the need for the U.S. government to minimize its participation in the vulnerability market.

In recent years, a seemingly endless string of massive data breaches in both the private and public sectors have made front page news and impacted millions of people. Such breaches are made possible by a software vulnerability - a “bug” in the system - that was unknown or left unaddressed. While vulnerabilities will always exist, their widespread impact means policymakers must  make it easier for researchers to identify and address software vulnerabilities. This report highlights the current need for reform in the field of vulnerability discovery and disclosure and provides clear recommendations for policymakers and the private sector.

The following quote can be attributed to Ross Schulman, Co-Director of New America’s  Cybersecurity Initiative and Senior Counsel at OTI:

“Massive data breaches, in both the public and private sectors, routinely make the front page these days. While policymakers hold hearing after hearing in search of a solution, they have not taken the obvious steps to close the loopholes that leave our data exposed. If policymakers want to increase online security, they must first understand the building blocks of the insecurity: software vulnerabilities. The U.S. has an obligation to examine its role in the vulnerabilities market. Policymakers must educate themselves on how the vulnerability ecosystem functions and how it discourages researchers from disclosing vulnerabilities that put millions at risk every day.”

The primer is available here.