• Corpus ID: 16434896

Vulnerability Markets What is the economic value of a zero-day exploit ?

  title={Vulnerability Markets What is the economic value of a zero-day exploit ?},
  author={Rainer B{\"o}hme},
Vulnerabilities are errors in computer systems which can be exploited to breach security mechanisms. Such information can be very valuable as it decides about the success of attack or defense in computer networks. This essay introduces into the economic perspective on computer security and discusses the advantages and drawbacks of different concepts for vulnerability markets, where security-related information can be traded. 

Tables from this paper

Understanding Hidden Information Security Threats: The Vulnerability Black Market

A system dynamics model is developed showing the growth of the vulnerability black market and some simulations using the model are implemented to learn whether the attempt to legalize the vulnerability market helps to reduce the vulnerability information circulating in the black market.

The Legitimate vulnerability market: the secretive world of 0-day exploit sales

This emerging “0-day market” has some unique aspects that make this particularly difficult to accomplish in a fair manner, and issues will be illustrated by following two case studies of attempted sales of 0-day exploits.

Toward a Dynamic Modeling of the Vulnerability Black Market

Using model simulations the authors discuss to what extent the attempt to legalize the vulnerability market may help to reduce the vulnerability information circulating in the black market.

A Comparison of Market Approaches to Software Vulnerability Disclosure

This paper provides a first attempt to structure the field by proposing a terminology for distinct concepts and defining criteria to allow for a better comparability between different approaches.

Markets for zero-day exploits: ethics and implications

A New Security Paradigms Workshop (2013) panel discussed the topic of ethical issues and implications related to markets for zero-day exploits, i.e., markets facilitating the sale of previously

Modelling the Security Ecosystem- The Dynamics of (In)Security

The security of information technology and computer networks is effected by a wide variety of actors and processes which together make up a security ecosystem; here we examine this ecosystem,

Two threat patterns that exploit "security misconfiguration" and "sensitive data exposure" vulnerabilities

We present threat patterns that describe attacks against applications that take advantage of security misconfigurations in the application stack and applications that expose sensitive data. These

The dynamics of ( in ) security

A comprehensive dataset of 30,000 vulnerabilities publicly disclosed since 1996 is built to reconstruct the vulnerability lifecycle and shows how accurate knowledge of the vulnerability discovery, exploit, disclosure, and patch-time allows one to identify different types of risk and to quantify the risk exposure and evolution thereof at global scale.

Strengthening DoD Cyber Security with the Vulnerability Market

Through use of the vulnerability market, the DoD can ensure that information security is built into the application layer, minimize the number of patches distributed, and optimize the investment in defense programs.

A Practical Example : Burglar Alarms

This essay hypothesises that security is a good with insufficient information, and rejects the assumption that security fits in the market for goods with asymmetric information.



Why information security is hard - an economic perspective

  • Ross J. Anderson
  • Computer Science
    Seventeenth Annual Computer Security Applications Conference
  • 2001
The author puts forward a contrary view: information insecurity is at least as much due to perverse incentives as it is due to technical measures.

An Economic Analysis of Market for Software Vulnerabilities

It is demonstrated that an active “market-based mechanism” for vulnerabilities almost always underperforms a passive CERT-type mechanism, and a new mechanism – “Federally-Funded Social Planner” – that always performs better than a market- based mechanism is extended.

Bug Auctions: Vulnerability Markets Reconsidered

This paper argues that a vulnerability market in which software producers receive a time-variable reward to free-market testers who identify vulnerabilities can best be considered as an auction; auction theory is used to tune the structure of this ‘bug auction’ forency and to better defend against attacks.

Hacking the business climate for network security

The economics of security need to change, giving the businesses in the best position to fix the problem the motivation to do so, and companies approach security as they do any other business uncertainty-in terms of risk management.

Cyber-Insurance Revisited

An indemnity insurance model is referred to to evaluate the conditions under which coverage for cyber-risks can be granted despite monocultures of installed platforms, acting as a counterweight to the market leader’s strong economies of scale and fostering a more balanced market structure.

The Economic Case for Cyberinsurance

We present three economic arguments for cyberinsurance. First, cyberinsurance results in higher security investment, increasing the level of safety for information technology (IT) infrastructure.

The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting

A more appropriate data collection process is discussed and employed to identify the age of vulnerabilities in OpenBSD 2.2 and two models are tested, contradict previous work by providing support for the conclusion that vulnerability hunting is socially useful.

A framework for using insurance for cyber-risk management

Seeking to protect an organization against a new form of business losses in the face of cyber-attack.

The market for 'lemons': quality uncertainty and the market mechanism

This paper examines the allocation of credit in a market in which borrowers have greater information concerning their own riskiness than do lenders. It illustrates that (1)the allocation of credit is

System Reliability and Free Riding

  • H. Varian
  • Economics
    Economics of Information Security
  • 2004
In the context of system reliability, the authors can distinguish three prototype cases: purely voluntary provision of public goods, individuals may tend to shirk, and an inefficient level of the public good.