Some of the key aspects of vulnerability—discovery, dissemination, and disclosure—have received some attention recently. However, the role of interaction among the vulnerability discoverers and vulnerability acquirers has not yet been adequately addressed. Our study suggests that a major percentage of discoverers, a majority in some cases, are unaffiliated with the software developers and thus are free to disseminate the vulnerabilities they discover in any way they like. As a result, multiple vulnerability markets have emerged. In some of these markets, the exchange is regulated, but in others, there is little or no regulation. In recent vulnerability discovery literature, the vulnerability discoverers have remained anonymous individuals. Although there has been an attempt to model the level of their efforts, information regarding their identities, modes of operation, and what they are doing with the discovered vulnerabilities has not been explored. Reports of buying and selling of the vulnerabilities are now appearing in the press; however, the existence of such markets requires validation, and the natures of the markets need to be analyzed. To address this need, we have attempted to collect detailed information. We have identified the most prolific vulnerability discoverers throughout the past decade and examined their motivation and methods. A large percentage of these discoverers are located in Eastern and Western Europe and in the Far East. We have contacted several of them in order to collect firsthand information regarding their techniques, motivations, and involvement in the vulnerability markets. We examine why many of the discoverers appear to retire after a highly successful vulnerability-finding career. The paper identifies the actual vulnerability markets, rather than the hypothetical ideal markets that are often examined. The emergence of worldwide government agencies as vulnerability buyers has significant implications. We discuss potential factors that can impact the risk to society and the need for detailed exploration. Keywords—Risk management, software security, vulnerability discoverers, vulnerability markets.
[1]
David McKinney.
Vulnerability Bazaar
,
2007,
IEEE Security & Privacy.
[2]
A. Ozment,et al.
Bug Auctions: Vulnerability Markets Reconsidered
,
2004
.
[3]
Omar H. Alhazmi,et al.
Quantitative vulnerability assessment of systems software
,
2005,
Annual Reliability and Maintainability Symposium, 2005. Proceedings..
[4]
Fabio Massacci,et al.
Quantitative Assessment of Risk Reduction with Cybercrime Black Market Monitoring
,
2013,
2013 IEEE Security and Privacy Workshops.
[5]
Muhammad Zubair Shafiq,et al.
A large scale exploratory analysis of software vulnerability life cycles
,
2012,
2012 34th International Conference on Software Engineering (ICSE).
[6]
Rahul Telang,et al.
Economics of software vulnerability disclosure
,
2005,
IEEE Security & Privacy.
[7]
Yashwant K. Malaiya,et al.
Modeling vulnerability discovery process in Apache and IIS HTTP servers
,
2011,
Comput. Secur..
[8]
David A. Wagner,et al.
An Empirical Study of Vulnerability Rewards Programs
,
2013,
USENIX Security Symposium.
[9]
Yashwant K. Malaiya,et al.
Application of Vulnerability Discovery Models to Major Operating Systems
,
2008,
IEEE Transactions on Reliability.
[10]
Charles Miller,et al.
The Legitimate vulnerability market: the secretive world of 0-day exploit sales
,
2007,
WEIS.
[11]
Tyler Moore,et al.
Measuring the Cost of Cybercrime
,
2012,
WEIS.
[12]
Sam Ransbotham,et al.
Are Markets for Vulnerabilities Effective?
,
2012,
MIS Q..
[13]
Yashwant K. Malaiya,et al.
Seasonal Variation in the Vulnerability Discovery Process
,
2009,
2009 International Conference on Software Testing Verification and Validation.