Nulns: The Untold Story of Non-Exploitable Vulnerabilities in Cybersecurity

There are two types of vulnerabilities: the ones that will get exploited, and the ones that will never get exploited no matter how far into the future we set our time machine to take us. We don’t talk about those enough. In fact, we don’t even have a word for it. It’s time to change that.

‍

But by way of example, let’s discuss what I mean first. In a hypothetical situation, let’s say we have gone 1,000 years into the future at our company and we look in the bug tracking system and we see that there is a vuln sitting there that still has not been exploited. It’s still there and still potentially vulnerable, but for a wide variety of reasons it’s not interesting to or remotely exploitable by an adversary. So there it sat, for 1,000 years. Lonely, untouched, and unexploited.

‍

I refer to these issues as “nulns”. A portmanteau of “null” and “vuln”.

‍

These nulns are treated as if they are vulns currently, but intellectually everyone seems to know that there are nulns in our midst. We know there are because oftentimes we will look at something minor and laugh it off as such a minor issue that it’s just not even worth talking about. Literally the calories you’ll spend to discuss it aren’t worth the risk.  So why are we so quick to label everything as having a “risk”?  Are we so confident we’re right about that? What if, in practice, the actual risk is zero for most of these issues, because they are nulns?

‍

People will naturally decry this thinking by saying that there is no way to know the difference between a nuln and a vuln. “Robert, what if 1,001 years into the future an attacker suddenly comes out of the woodwork and exploits that long dormant nuln and turns it into a vuln?” Sure, this is possible, but it’s not practical.

‍

You know what is also not practical? Turning 309,000+ CVEs, of which 304,000+ have never led to a demonstrable loss, into vulns. Vulncheck KEV has found a little over 4,000 vulns that have ever led to a breach, and the CVE database has been around for well over two decades. That means the vast majority of vulns are probably actually nulns. 

‍

Think about that for a second. 

‍

Nulns live all over our “risk” dashboards, wasting our time, making us focus on issues that simply aren’t real. The risk will never materialize. It’s made up!

‍

Nulns should not be getting our attention.