Shostack + Friends Blog Archive


Economics of Vulnerabilities: Markets?

When I drew that picture for Don Marti, he suggested a market in software vulnerabilities. People who had invested in knowledge about a program could then buy or sell in that market. I think that the legal threats and uncertainties are probably sufficiently market-distorting to make such a market hard to operate and hard to take price data from. That might be correctable.

Incidentally, one of the troubles with over-editing is that you miss points that you want to make in a post.

4 comments on "Economics of Vulnerabilities: Markets?"

  • Ryan Russell says:

    Are you suggesting that there aren’t already a dozen places I could sell a vulnerability for a decent chunk of change? At least two of them are “legit”, iDefense and TippingPoint. Or am I misunderstanding?

  • Adam says:

    I haven’t seen a clear price list, as in “we paid X for this vuln.” Such lists exist for markets. You know what Citicorp is worth, because the market tells you. You know what a house is worth. You dont know what a vuln is worth.
    There’s also the Lynn risk, which is distortive.

  • Ryan Russell says:

    Ah, so by “market”, you mean you’re looking for an equivalent to a NYSE stock listing. Fair enough. Yes, pricing info is hard to find. You can look to iDefense’s offer of $10,000US for MS Criticals (last quarter) or DB Vendor Criticals (this quarter). You can look at reports of an IE 0-day being sold to spyware distributors for around $11,000. You could lend some creditbility to 0x80 claiming on Full-Disclosure that someone gave him $18,000US for a vuln. I believe I’ve read Dave Aitel say that a good Windows remote is worth about $20,000 to him.
    But yes, not very formal.
    You want to start tracking vulnerability prices? I can help you backfill some of the existing stuff.

  • Adam says:

    Yes, by market I mean a public space in which price information is available. I appreciate the offer of tracking, and feel it points out just how broken this all is. If we had a functioning market, I wouldn’t need to tap into a Ryan or a Dave who’s spending time paying attention to the prices of vulns and exploits.
    I’d just tap into the Chicago Vulnerability Exchange*, and find the bid and ask prices on a brand-x 0Day.
    *CVE, of course, like the Chicago Mercantile Exchange. 😉

Comments are closed.