Phreakonomics and Vulnerability Markets
Dave G. | December 16th, 2005 | Filed Under: Industry Punditry
Inside of the comments on my Phreakonomics post, the subject of vulnerability markets came up. This wasn’t really the focus of my post, but there is certainly some relevence. Part of the conversation:
Dave G. said…
Ivan, I think your first assumption is occuring without an auction model. Without getting into the good vs. bad debate of it, vulnerabilities previously did not have a well defined financial value. For better or for worse, that is changing.
Ivan Arce said…
Yes the first assumption may be already happening, the question is do you want to encourage and reinforce the trend? Do you think it would be healthy to do so?
A common press technique is to answer the question you wanted to hear. With that in mind, I could swear I saw “Who are vulnerability markets healthy for?”. Lets look at the players in the post-vulnerability-markets world.
Player #1 (Sorcerer): “Gravy train with biscuit wheels”. Formerly known as “Vulnerability Researcher”.
Player #2 (Elf): Affected Vendor (Closed Source). If you have the money to buy your vulnerabilities, you are sitting pretty. Buy, then patch (or dont), on your timeline. If a Sorcerer publishes the same vulnerability, seek legal remedy against her.
Player #3 (Warrior): Affected Vendor (Open Source). Certainly left behind in all of this. Sorcerer, Valkyrie and Elf shot your food.
Player #4 (Valkyrie): Competitive Vendor. Lots of upside for you, zero risk. Each market offering is an option for you to throw an elbow to your competitors. Buy the vulnerability. Press release!
Player #5 (That Grim Reaper with the BadTouch): Criminal Element. If well funded, benefits more than anyone: a stable supply chain established for identity theft! Everyone except Sorcerer loses.
Player #6: The affected customer. Sucks to be you. If this were Gauntlet, no food or magic potions for you. You would just watch the carnage.
From a community perspective, attaching profit motive to vulnerability research isn’t inherently bad for anyone (we do this already). However, it is obvious that selling vulnerabilities to criminals creates tons of risk.
ivan
December 16th, 2005 9:13 pmIt appears that vulnerability disclosure debates are like gravity, no matter how much I try to avoid them I end up crashing into them…
So according to your RPG it sucks to be player #6 (end user of the vulnerable technology) and herein is the crux of the vulnerability market problem: Player #6 has no option but to either watch the carnage or buy the bugs himself, if he has no gold then its game over (over and over again each time a new bug is auctioned)
Attaching profit motive to vulnerability research discourages
the release of vulnerability information for free. However, it does make it easier to obtain a competitive advantage to those with deeper pockets: a few sorcerers, a few elves and many grim reapers.
The typical argument to counter the above is that it does not matter because releasing vulnerability information for free is BAD so therefore it is ok to discourage that evil practice.
So let me qualify the previous question: Is a vuln-market healthy for players #6 and #3? Apparently not.
So who does it help?
It is obvious that selling vulns to criminals creates a lot of risk (btw, I think player #1 lalso loses in that scenario)
Perhaps, what is not so obvious is that selectively disclosing vuln. information to any player using money as the sole decision criteria (instead of doing it on a default open need-to-know basis) is a losing move if you want to improve your security posture (not the balance of your bank account).
..thats it, I promise to cut my fingers next time I feel compelled to drag myself into a vuln-market/vul-disclosure debate.
Dancho Danchev
December 19th, 2005 7:35 amHello,
Nice you’ve started thinking on the market for software vulnerabilities, I recently posted my point of view, you can read at :
http://ddanchev.blogspot.com/2005/12/0bay-how-realistic-is-market-for.html
if interested.
Cheers,
Dancho
Leave a reply