Motion to Dismiss for Failure to State a Vulnerability

When a project receives a vulnerability report, what’s the first question they should ask? I believe the correct answer is that we should ask: In what way does the claimed vulnerability violate our threat model? A lot of times the answer is obvious, we don’t need to spend a lot of time interrogating how SQL injection or a buffer overflow violates our threat model. But it’s not always obvious: does it violate the threat model for a privileged user to be able to write to a given path on disk? In my experience a remarkable portion of invalid vulnerability reports are invalid not because what they say isn’t true, but because even if every word is true, it doesn’t actually articulate a violation of any threat model.

Under the Federal Rules of Civil Procedure, a complaint must contain “a short and plain statement of the claim showing that the pleader is entitled to relief”1, with “enough facts to state a claim to relief that is plausible on its face”.2 And a defendant may move to dismiss the complaint if it – even accepting all factual allegations as true and drawing all reasonable inferences in the plaintiff’s favor – fails to allege a violation of law for which relief can be granted.3 If a complaint isn’t actually alleging something that entitles the plaintiff to relief, you can expeditiously attempt to dispose of it. This is called a motion to dismiss for failure to state a claim. And I’ve found it to be a remarkably useful analogy for computer security research.

When a project receives a report of a vulnerability, and it’s not clear that there’s a coherent threat model under which it is a vulnerability, they need to push back in these terms. And perhaps update their documented threat model, if necessary. When reporting a vulnerability where the threat model is not immediately obvious, security researchers need to clearly articulate what they understand the threat model to be and how their vulnerability violates it.

It is my hope for some people this post will create some connective neural pathways between two concepts that were previously unrelated, and for others it will spur an interest in federal pleading standards. Now go forth and prepare your motions to dismiss for failure to state a vulnerability upon which a patch can be granted!

  1. Fed. R. Civ. P. 8(a)(2) ↩︎

  2. Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007) ↩︎

  3. Fed. R. Civ. P. 12(b)(6) ↩︎