Vulnerability Markets

There has been a lot of talk lately regarding both a paper that was presented at the Workshop on the Economics of Information Security (WEIS) last month entitled The Legitimate Vulnerability Market as well as the launch of a new online vulnerability auction marketplace, WabiSabiLabi. In fact, WabiSabiLabi is now being covered in mainstream media such as Forbes.

While some of these marketplaces are newly available, the practice of paying for vulnerabilities (or exploits) is certainly not. Several vendors such as Tipping Point, iDefense and even Netscape have either offered money for these in the past or have programs setup to purchase vulnerabilities from researchers. Many have made claims that they have even sold these to the U.S. government.

Much of the recent debate has been around ethics, very similar to the full disclosure discourse over the past several years. In the Forbes article, one interviewee speculates that black hats will always pay more for a vulnerability. While this may be true, again – this is nothing new. Vulnerabilities and exploits have always been sold to people with less than good intentions. What these new markets bring is an opportunity and forum for legitimate security researchers to be paid for their work while practicing responsible disclosure. An online vulnerability market can give the researcher the ability to understand more about the buyer, where they are coming from and their intention. It can also encourage legitimate vulnerability research. The more bugs that are found, ultimately will lead to more bugs fixed or not introduced at all. It provides incentives that simply weren’t there before and a way to adjust for a negative security externality.

There are several issues within a vulnerability market that need to be addressed in order for it to work effectively and establish a fair value for these vulnerabilities, but IMHO this is not an ethical debate. Within Charlie Miller’s paper, he discusses the inherent obstacles of this type of market. They include; Vulnerability information as a time sensitive commodity, Transparency in pricing, Finding buyers and sellers, Legitimate buyers, Demonstrating vulnerability value, Ensuring claim to vulnerability, and exclusivity of rights.

I encourage everyone to read the paper available on the WEIS site. If these markets are able to overcome the barriers and become successful, this will ultimately make our software more secure, not less.