Corpus ID: 16434896

Vulnerability Markets What is the economic value of a zero-day exploit ?

  title={Vulnerability Markets What is the economic value of a zero-day exploit ?},
  author={Rainer B{\"o}hme},
Vulnerabilities are errors in computer systems which can be exploited to breach security mechanisms. Such information can be very valuable as it decides about the success of attack or defense in computer networks. This essay introduces into the economic perspective on computer security and discusses the advantages and drawbacks of different concepts for vulnerability markets, where security-related information can be traded. 

Tables from this paper

Understanding Hidden Information Security Threats: The Vulnerability Black Market
A system dynamics model is developed showing the growth of the vulnerability black market and some simulations using the model are implemented to learn whether the attempt to legalize the vulnerability market helps to reduce the vulnerability information circulating in the black market. Expand
The Legitimate vulnerability market: the secretive world of 0-day exploit sales
This emerging “0-day market” has some unique aspects that make this particularly difficult to accomplish in a fair manner, and issues will be illustrated by following two case studies of attempted sales of 0-day exploits. Expand
Toward a Dynamic Modeling of the Vulnerability Black Market
The “black market” for software vulnerabilities makes it in principle possible for criminals and terrorists to launch exploits toward organizations before system administrators have had a chance toExpand
A Comparison of Market Approaches to Software Vulnerability Disclosure
This paper provides a first attempt to structure the field by proposing a terminology for distinct concepts and defining criteria to allow for a better comparability between different approaches. Expand
Markets for zero-day exploits: ethics and implications
A New Security Paradigms Workshop (2013) panel discussed the topic of ethical issues and implications related to markets for zero-day exploits, i.e., markets facilitating the sale of previouslyExpand
Modelling the Security Ecosystem- The Dynamics of (In)Security
The security of information technology and computer networks is effected by a wide variety of actors and processes which together make up a security ecosystem; here we examine this ecosystem,Expand
Two threat patterns that exploit "security misconfiguration" and "sensitive data exposure" vulnerabilities
We present threat patterns that describe attacks against applications that take advantage of security misconfigurations in the application stack and applications that expose sensitive data. TheseExpand
The dynamics of ( in ) security
Global Internet penetration and e-commerce have grown explosively over the past years. Today, information technology has become a backbone of our industry and everyday life. We would intuitivelyExpand
The Iterated Weakest Link - A Model of Adaptive Security Investment
A model that reflects dynamic interaction between a defender, who faces uncertainty, and an attacker, who repeatedly targets the weakest link is devised, explaining why security under-investment is sometimes rational even when effective defenses are available. Expand
Strengthening DoD Cyber Security with the Vulnerability Market
Abstract : In the past decade, the DoD and defense contractors have witnessed an immense theft of intellectual property which originated inside and outside our borders. So how do these thefts occurExpand


Why information security is hard - an economic perspective
  • Ross J. Anderson
  • Computer Science
  • Seventeenth Annual Computer Security Applications Conference
  • 2001
The author puts forward a contrary view: information insecurity is at least as much due to perverse incentives as it is due to technical measures. Expand
An Economic Analysis of Market for Software Vulnerabilities
Software vulnerability disclosure has become a critical area of concern for policy-makers. Traditionally, Computer Emergency Response Team (CERT) has been acting as an infomediary between benignExpand
Bug Auctions: Vulnerability Markets Reconsidered
Measuring software security is dicult and inexact; as a result, the market for secure software has been compared to a ‘market of lemons.’ Schechter has proposed a vulnerability market in whichExpand
Hacking the business climate for network security
The economics of security need to change, giving the businesses in the best position to fix the problem the motivation to do so, and companies approach security as they do any other business uncertainty-in terms of risk management. Expand
Cyber-Insurance Revisited
An indemnity insurance model is referred to to evaluate the conditions under which coverage for cyber-risks can be granted despite monocultures of installed platforms, acting as a counterweight to the market leader’s strong economies of scale and fostering a more balanced market structure. Expand
The Economic Case for Cyberinsurance
We present three economic arguments for cyberinsurance. First, cyberinsurance results in higher security investment, increasing the level of safety for information technology (IT) infrastructure.Expand
The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting
  • A. Ozment
  • Computer Science, Engineering
  • WEIS
  • 2005
A more appropriate data collection process is discussed and employed to identify the age of vulnerabilities in OpenBSD 2.2 and two models are tested, contradict previous work by providing support for the conclusion that vulnerability hunting is socially useful. Expand
A framework for using insurance for cyber-risk management
Seeking to protect an organization against a new form of business losses in the face of cyber-attack. Expand
The Market for “Lemons”: Quality Uncertainty and the Market Mechanism
This paper relates quality and uncertainty. The existence of goods of many grades poses interesting and important problems for the theory of markets. On the one hand, the interaction of qualityExpand
System Reliability and Free Riding
  • H. Varian
  • Business, Computer Science
  • Economics of Information Security
  • 2004
In the context of system reliability, the authors can distinguish three prototype cases: purely voluntary provision of public goods, individuals may tend to shirk, and an inefficient level of the public good. Expand