Riministreet
Linkedin Logo

A Bug’s Tale: All About Software Bugs and Vulnerabilities

How software vulnerabilities (bugs) are discovered, acknowledged, disclosed, and addressed

A Bug’s Tale: All About Software Bugs & Vulnerabilities
arrows pointing to the top right corner
01

Birth of a bug

What are software vulnerabilities (bugs) and where do they come from?

A couple of definitions are helpful for context:

Gartner® definition: “A bug is an unexpected problem with software or hardware. Typical problems are often the result of external interference with the program’s performance that was not anticipated by the developer.”

Mitre defines a vulnerability as “…a mistake in software that can be directly used by a hacker to gain access to a system or network.”

Bugs and vulnerabilities can occur for many reasons including new weaknesses, new and increasingly sophisticated attack methods, adoption of new technologies, infrastructure and development practices, talent shortages, etc. In many cases, the cause involves human error. And that means that software bugs are here to stay. So, let’s walk through the life of a bug and what you can do about them.

Fun Bug Fact:

The first computer bug was rumored to be a moth that shorted out Harvard’s Mark II computer in 1947. The computer was “debugged,” and the “bug” was taped to the logbook entry page kept by technicians in the lab. Talk about a bug report!

arrows pointing to the top right corner
02

Finding bugs

How are software vulnerabilities found?

Quiz question asking "Who finds the bugs?"

Most software bugs are found by security researchers that we affectionately refer to as bug “bounty hunters.” Bug bounties are programs run by software vendors (and external security firms) that often pay cash rewards to threat researchers and ethical hackers who discover and report bugs that vendors can replicate, and ultimately provide a “fix” for, often in the form of a patch or configuration change instructions.

Bugs can also be discovered by unethical hackers or “villains” with less honorable goals. And when these bad actors discover vulnerabilities, unlike our bounty hunting friends, these bad actors don’t report them to vendors, or anyone for that matter. They weaponize them for their own malicious use.

The Known Exploited Vulnerabilities Catalog lists known vulnerabilities that have been exploited for malicious intent when they become known, often as the result of investigating a breach or a series of breaches.

Some of the less honorable motivations to hack include:[1]

  • Financial gain: Includes ransomware, direct theft from victims, selling data on the dark web, etc.
  • Political statements: The “hackivist” is looking to disrupt websites, systems, etc. to support a specific ideology.
  • Revenge: Disgruntled employees, unhappy customers or others who cause damage to address a personal vendetta.
  • Fame: Hackers looking for recognition.
  • Theft of intellectual property: The motivation for the theft of intellectual property is especially dangerous for corporations and other organizations because this category tends to include state- and corporate-sponsored attacks targeting everything from weaponry blueprints to product patents. State-sponsored hackers often have an unlimited amount of time and funding to find a way to hack into their target.

Mitre tracks an exhaustive list of threat groups. Examples of these nation-state actors are Advanced Persistent Threat (APT) groups[2] like China’s DeputyDog (APT17), Buckeye (APT3), and the terrifying Double Dragon (APT41)[3].

Gartner also expressed its security concerns by saying, “It is not possible for an organization, at any security maturity level, to achieve zero vulnerabilities in its environment.”[4]

Fun Bug Fact:

Many software vendors require a non-disclosure agreement (NDA) for participation in bug bounty programs to help prevent premature disclosure of vulnerabilities and discourage bad actors from weaponizing vulnerabilities before customers have a chance to retrieve, test, and apply patches.[5]

arrows pointing to the top right corner
03

Software vendor acknowledgement

How vendors respond to bugs

Quiz question asking "What is a vendor's legal obligation regarding a new software bug discovery?"

Do you know what vendors are required to do when bugs are discovered in their software? Typically, nothing. Why not? Because the user agreement[6] that licensees sign usually protects the vendor with disclaimers of warranties and remedies. While that is disheartening, vendors do act. They usually:

  • Review the bug submission
  • Reproduce it (through bounty hunter instructions)
  • Validate the bug, identify affected products, and accept the bug for further action
  • Develop a patch
  • Add the new patch to their update packages such as Oracle Critical Patch Updates (CPUs) or SAP Security Patch Day

This process can take time – ranging from weeks to years.

Fun Bug Fact:

NIST tracks the submission of new vulnerabilities in a national vulnerability database (NVD). In 2023, there were over 29,000 security vulnerabilities registered as common vulnerabilities and exposures (CVEs) and 2024 is on track to outpace 2023.[7]

arrows pointing to the top right corner
04

Naming a bug

How common vulnerabilities and exposures (CVE) are identified

Quiz question asking "Who can name the bugs?"

It helps if software bugs have names (well, numbers actually). Fortunately, CVE Numbering Authorities including researchers and software vendors[8] assign CVE IDs from pre-allocated reserved blocks of numbers provided by NIST.[9] They assign one CVE record per vulnerability submitted so that cybersecurity experts can track and report on software fixes and mitigations.

Note: the date the CVE was created reflects the date the number was first issued to a vendor — which can differ dramatically from the date the vulnerability was discovered![10]

Fun Bug Fact:

CVE lists are voluntary and incomplete by definition, because vendors have no obligation to report bugs in new or legacy software.[11]  Additionally, while MITRE and NIST provide guidelines and standards for CVE submissions to ensure consistency, vendors are not obligated to follow them.

arrows pointing to the top right corner
05

What you can do about software vulnerabilities

How to develop a security and risk management (SRM) response

Quiz question asking "How long has your software likely been vulnerable to a security bug that you're just now hearing about?"

If your reaction to learning about a new software bug is “Just great! Another bug! And another patch!” you aren’t alone.

However, that bug or vulnerability has likely been in the software since it was first written by the developer (unless it was introduced by a patch) and since bad actors can quickly exploit a bug, it’s smart to have a plan in place for bug defense.

Vendor patching is a common, yet laborious, defense with steps such as:

  • Choose patches from Oracle CPUs or on SAP security patch day
  • Bundle patches and test them on a non-production server
  • Confirm that they do not affect critical data such as financial balances or health records
  • Schedule downtime and take production systems offline for patching
  • Repeat the entire process if the vendor issues new patches in response to user feedback to the original patches

Fun Bug Fact:

The average time for bugs to be exploited in the wild was only 4 days in 2024[12], down from more than 74 days in 2014?[13]

arrows pointing to the top right corner
06

Addressing bugs

How to approach security patches

Quiz question asking "What do Vendor Patches Protect Against?"

While staying current with vendor security patches has been a traditional way to mitigate vulnerabilities[14], it’s not uncommon for companies to struggle with patching[15] because it can require:

  • Highly skilled IT resources[16] and extensive planning, testing, and system downtime[17]
  • Long waits — months or even years — for software vulnerabilities to be detected, and patches to be provided, tested, and installed[18]
  • Potentially expensive, low ROI software upgrades to continue to receive new vendor security patches on software releases that no longer receive software vendor security updates[19]

A strategy relying solely on patching is challenged with:

  • Quickly mitigating all cybersecurity risk[20]
  • Accounting for unique system configurations or data[21]
  • Vendor patches are not specifically designed to protect custom code developed by a customer or address a customer’s unique environment and architecture
  • Developing and applying vendor security updates may take an extended period of time to complete, delaying protection from known threats

Additionally, a considerable amount of downtime is required to patch and update systems. This can cause friction between security teams trying to deploy all available tactics to reduce risk and IT operations teams charged with uptime and business continuity.[22]

Fun Bug Fact:

No single solution can ensure you can find and fix all vulnerabilities.[23]

arrows pointing to the top right corner
07

Outsmarting bugs

How Rimini Protect™ addresses software vulnerabilities

Many enterprise software systems have driven businesses for clients for decades and are now beyond their vendor support end-dates, implying that limited or no new security patches are available for these systems. Security patches are also not typically available when a client leaves vendor support.

Rimini Street enables a business and data-driven approach to prioritizing risk mitigation. We focus on improving security postures and reducing security risk exposure without the application of vendor-provided security patches or modification of vendor code.

Many organizations have already established other defensive strategies to protect their enterprise software as a result of limited security patch availability. Rimini Protect solutions are tailored to a client’s ecosystem to complement and enhance our clients’ existing security strategies to protect against known (discovered) and unknown (undiscovered) threats and vulnerabilities.

Learn more about Rimini Protect

arrows pointing to the top right corner
08

Software vulnerabilities FAQ

Answers to common questions about software vulnerabilities

What is a software weakness vs. a vulnerability?

Weaknesses are software or hardware conditions that can lead to a vulnerability. Mitre maintains a list weaknesses known as Common Weakness Enumerations (CWEs). A vulnerability is a “bug” or mistake that can directly be used to exploit (gain access to) a system. NIST maintains a national vulnerability database of known Common Vulnerability Enumerations (CVEs).

What are some examples of software vulnerabilities?

Think of vulnerabilities as a way to take advantage of the context (weakness) to exploit a system. With CWE-787 there is a partial list of many ways this weakness has been used to exploit systems. Examples of software vulnerabilities include corrupting memory (CVE-2021-28664), enabling the ability to “escape” from a test or sandbox environment (CVE-2020-0041), etc.

What are some examples of software weaknesses?

Think of software weaknesses as the context of the situation. For example, CWE-787 is titled “Out-of-bounds Write” which is described as writing data before or after the area of memory that the program is intended to access.  Allowing data to be written in unexpected areas of memory can cause unpredictable results and is a weakness.

What is the difference between malware and software vulnerabilities? 

Malware is a program that can be installed via an exploit intended to compromise the “confidentiality, integrity, or availability of the victim’s data, applications, or operating system.” Software vulnerabilities are “bugs” that can be used to exploit a system.

What is an exploit?

An exploit is a “bad actor” using a program or piece of code to take advantage of a security vulnerability. CISA keeps a list of known exploited vulnerabilities called the KEV catalog.

What are some examples of exploits?

Some examples of exploits include:

  • An individual or organization using methods described in CVE-2021-28664 to write some code that could corrupt a company’s database. 
  • An individual or organization using methods described in CVE-2020-0041 to write code that enables unauthorized access to files on a computer to steal customer information or trade secrets. 

Why are CWEs important?

Mitigating the overall weakness can usually render all of the CVEs mentioned within one CWE ineffective. This also protects against future vulnerabilities that rely on the same weakness (proactive protection). This is much more efficient than attempting to address each vulnerability one at a time.

[4]How To Implement a Risk-Based Vulnerability Management Methodology” Gartner, Published 20 April 2023 – ID G00777685
[8] CVE Numbering Authorities (CNAs): https://www.cve.org/ProgramOrganization/CNAs
[9] NIST FAQ describing reserved CVE records: https://www.cve.org/ResourcesSupport/FAQs
[10] NIST FAQ What does DATE RECORD CREATED signify in a CVE Record? https://www.cve.org/ResourcesSupport/FAQs
[11] See section, “when to give up”  OWASP Vulnerability Disclosure Cheat Sheet https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html
[12] Time to exploit a bug https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure
[13] Page 17 “How To Implement a Risk-Based Vulnerability Management Methodology” Gartner, Published 20 April 2023 – ID G00777685
[14] DarkReading: Microsoft started issuing patches in 2001 to fix security vulnerabilities. link CISA recommends installing patches/updates as soon as possible. link
[15] DarkReading: “Patching this tidal wave of vulnerabilities is an unattainable task.” link “…IT and security teams are stretched thin and cannot keep up with the task. It’s not humanly possible.” link
[16] DarkReading:  “…where IT talent is hard to attract and retain.” link Deloitte: “Only 13 percent of employers surveyed say they can hire and retain the tech talent they need most.” link Ivanti: “A shortage of IT staff has reduced the ability to mitigate security issues promptly for many companies.” link Cisco: “Patch everything that could be bad (like everything CVSSv3 Medium and above), and you’ll achieve great coverage at the expense of a lot of unnecessary work that will tax your security team.” link
[17] Gartner: “…it is well-understood in IT operations that a considerable amount of outages and downtime comes from trying to patch or update systems.” “Patching breaks things all the time. It is a regular occurrence to see system outages due to patching, even in mature environments with good IT operations and patching tooling.”
[18] Gartner: “There are a number of vendors who simply do not issue patches in a timely manner.”  “There is often a large gap between the discovery of vulnerabilities and the resources available within IT operations to treat them within the time frame in which attackers operate.”
[19] Oracle Technology Global Price list:  https://www.oracle.com/assets/technology-price-list-070617.pdf.   Oracle Sustaining support includes PRE-EXISTING security alerts and updates. link
[20] Gartner: “It is not possible for an organization, at any security maturity level, to achieve zero vulnerabilities in its environment.”   “In reality, preventing vulnerabilities from being exploited is not always possible or even feasible with just patching for most end user organizations.” “Organizations will continue to struggle to patch systems at the same time scale threat actors operate.” Security Intelligence: “Does this make patching a catch-all cybersecurity solution? While patching is an important component of cybersecurity, other security solutions and strategies must complement it.”  link
[21] NIST: “The act of applying a change to installed software – such as firmware, operating systems, or applications – that corrects security or functionality problems or adds new capabilities.”  link
[22] Page 4 & Page 5 “How To Implement a Risk-Based Vulnerability Management Methodology” Gartner, Published 20 April 2023 – ID G00777685
[23] Gartner:  “It is not possible for an organization, at any security maturity level, to achieve zero vulnerabilities in its environment.”  Gartner, Published 20 April 2023 – ID G00777685