Economics of Vulnerabilities: Markets?
When I drew that picture for Don Marti, he suggested a market in software vulnerabilities. People who had invested in knowledge about a program could then buy or sell in that market. I think that the legal threats and uncertainties are probably sufficiently market-distorting to make such a market hard to operate and hard to take price data from. That might be correctable.
Incidentally, one of the troubles with over-editing is that you miss points that you want to make in a post.
Are you suggesting that there aren’t already a dozen places I could sell a vulnerability for a decent chunk of change? At least two of them are “legit”, iDefense and TippingPoint. Or am I misunderstanding?
I haven’t seen a clear price list, as in “we paid X for this vuln.” Such lists exist for markets. You know what Citicorp is worth, because the market tells you. You know what a house is worth. You dont know what a vuln is worth.
(AFAIK.)
There’s also the Lynn risk, which is distortive.
Ah, so by “market”, you mean you’re looking for an equivalent to a NYSE stock listing. Fair enough. Yes, pricing info is hard to find. You can look to iDefense’s offer of $10,000US for MS Criticals (last quarter) or DB Vendor Criticals (this quarter). You can look at reports of an IE 0-day being sold to spyware distributors for around $11,000. You could lend some creditbility to 0x80 claiming on Full-Disclosure that someone gave him $18,000US for a vuln. I believe I’ve read Dave Aitel say that a good Windows remote is worth about $20,000 to him.
But yes, not very formal.
You want to start tracking vulnerability prices? I can help you backfill some of the existing stuff.
Yes, by market I mean a public space in which price information is available. I appreciate the offer of tracking, and feel it points out just how broken this all is. If we had a functioning market, I wouldn’t need to tap into a Ryan or a Dave who’s spending time paying attention to the prices of vulns and exploits.
I’d just tap into the Chicago Vulnerability Exchange*, and find the bid and ask prices on a brand-x 0Day.
*CVE, of course, like the Chicago Mercantile Exchange. 😉