Is Finding Security Holes a Good Idea?

A large amount of effort is expended every year on finding and patching security holes.  The underlying rationale for this activity is that it increases welfare by decreasing the number of vulnerabilities available for discovery and exploitation by bad guys, thus reducing the total cost of instrusions.  Given the amount of effort expended, we would expect to see noticeable results in terms of improved software quality. 

However, our investigation does not support a substantial quality improvement- the date does not allow us to exclude the possibility that the rate of vulnerability finding in any given piece of software is constant over long periods of time.  If there is little or no quality improvement, then we have no reason to believe that the disclosure of vulnerabilities reduces the overall cost of instrusions.