A Post-VM Warranty World

There will come a day when there is the first ever vulnerability management warranty. Then, some time later there will be a second, and so on. We’ll call this era the post-VM warranty world. 

‍

Not every vulnerability management company will embrace a warranty, and the ones that do won’t all come at the same time. That means there are three potential states, or points of view that the VM provider might have, given their incentives, that we’ve identified thus far.

‍

No Warranty

‍

The first is the traditional VM player with no warranty. They have no incentive to prioritize properly, and pass along the entire cost of their own failures, when those failures occur, to the customer. Not only that, but because the prioritization is not backed by truly objective information, they can tell you to fix everything, even if it’s indisputable that only about 1% of vulns have ever led to loss.

‍

Assuming that remediation efforts are similar across the vulnerability spectrum, if the customer chooses to try to get to vuln-zero, that’s 99% of their time wasted. However, it costs the vendor nothing to lead the customer that far afield. I’m not saying the vendors in this category intentionally do a bad job, it’s just that there is no incentive to provide useful, quality output. It is the “more is more” approach, which is to say, the more vulns they find the more they prove they’re doing their job, justifying their price, and  create a talking point when they are doing bakeoffs with other traditional vulnerability management companies.

‍

Warranty With Too Many Vulns

‍

The second is a company that has a warranty that intentionally chooses to look for a lot of vulnerabilities (say 300k of CVEs in an extreme example) and disclaim all that they find. That’s a massive exclusion list that effectively neuters the utility of the warranty.

‍

In the extreme example, if a vendor looks for all 300k CVEs and the customer cannot fix any that are on that list, the vendor will have no claims. Given how difficult it is for companies to get to vuln-zero, the warranty provides little to no value at all.

‍

Of course this scales up in utility from the customer’s perspective, if only 100k CVEs were disclaimed, by making it three times easier to get to vuln-zero and to enable the warranty. Or 30 times easier if the vendor only asks the customer to look for 10k CVEs, and so on. Though, the risk becomes 10 and then 30 times greater for the vendor at the same time, respectively, so there is a balancing act where the vendor has a negative incentive to reduce the number of CVEs that they’ll disclaim, especially when they don’t know which vulnerabilities will lead to loss.

‍

Warranty With Minimal Vulns

‍

The last is a vendor that has a warranty and intentionally chooses a small number of vulnerabilities which have been known to lead to loss. That list is small enough that it is much more plausible to get to vuln-zero based on that diminutive list. Losses matter to the vendor; they are playing with their own money at that point.

‍

This version of a warranty has huge value to the customer because losses due to vulnerabilities that aren’t on this short-list are one of the largest concerns for companies. If the customer wants to do less work they need a backstop, and the warranty provides that. But it only works if the set of vulnerabilities found are both large enough to encompass all vulnerabilities that lead to claims against the warranty and small enough to allow the customer to get to vuln-zero. This is the “less is more” strategy.

‍

Explanation

‍

The more companies that choose the last set of incentives, where they have a product warranty and few vulns excluded, the more it becomes a game of chicken to look for the smallest number of vulnerabilities possible while still keeping claims against the warranty in check. And if you think about it, that perfectly aligns with the customer’s needs - fewer losses and less remediation to do - with the backstop of a financial payout for vuln discovery failures that end up leading to loss.

‍

Nothing is stopping a company from doing more and going above and beyond whatever the vendor recommends. In fact it may make a lot of sense for some companies, where for others it makes no sense at all. For instance a company may have a contract with a customer that requires them to fix all CVSS highs and criticals. So while it doesn’t necessarily represent losses from attackers, it could break SLAs and cost the company in revenue if they don’t fix it. But that does not fall into the same category of risk that an adversary does.

‍

We feel that the vendor wins or loses by choosing whatever strategy is most or least economically in line with the customer’s needs, respectively. Vendors who choose to embrace a strategy that is most in alignment with the customer’s needs will naturally be favored by customers. In this way, we think that a post-warranty world will favor vendors who embrace a “less is more” strategy.

‍