Software Vulnerability Markets: Discoverers and Buyers
Authors: Abdullah M. Algarni, Yashwant K. Malaiya
Abstract:
Some of the key aspects of vulnerability—discovery, dissemination, and disclosure—have received some attention recently. However, the role of interaction among the vulnerability discoverers and vulnerability acquirers has not yet been adequately addressed. Our study suggests that a major percentage of discoverers, a majority in some cases, are unaffiliated with the software developers and thus are free to disseminate the vulnerabilities they discover in any way they like. As a result, multiple vulnerability markets have emerged. In some of these markets, the exchange is regulated, but in others, there is little or no regulation. In recent vulnerability discovery literature, the vulnerability discoverers have remained anonymous individuals. Although there has been an attempt to model the level of their efforts, information regarding their identities, modes of operation, and what they are doing with the discovered vulnerabilities has not been explored.
Reports of buying and selling of the vulnerabilities are now appearing in the press; however, the existence of such markets requires validation, and the natures of the markets need to be analyzed. To address this need, we have attempted to collect detailed information. We have identified the most prolific vulnerability discoverers throughout the past decade and examined their motivation and methods. A large percentage of these discoverers are located in Eastern and Western Europe and in the Far East. We have contacted several of them in order to collect firsthand information regarding their techniques, motivations, and involvement in the vulnerability markets. We examine why many of the discoverers appear to retire after a highly successful vulnerability-finding career. The paper identifies the actual vulnerability markets, rather than the hypothetical ideal markets that are often examined. The emergence of worldwide government agencies as vulnerability buyers has significant implications. We discuss potential factors that can impact the risk to society and the need for detailed exploration.
Keywords: Risk management, software security, vulnerability discoverers, vulnerability markets.
Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1091516
Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 3208References:
[1] C. P. Pfleeger and S. L Pfleeger. Security in Computing, 3rd ed. Prentice Hall PTR, 2003.
[2] O. H. Alhazmi and Y. K. Malaiya, "Application of Vulnerability Discovery Models to Major Operating Systems," IEEE Trans. Reliability, March 2008, pp. 14-22
[3] S.-W. Woo, H. Joh, O. H. Alhazmi and Y. K. Malaiya, "Modeling Vulnerability Discovery Process in Apache and IIS HTTP Servers", Computers & Security, January 2011, Pages 50-62.
[4] "Teen Exploits Three Zero-Day Vulns for $60K Win in Google Chrome Hack Contest | Threat Level | Wired.com,” Threat Level. (Online). Available: http://www.wired.com/threatlevel/2012/03/zero-days-for-chrome/. (Accessed: 06-Oct-2013).
[5] "Bug brokers offering higher bounties.” (Online). Available: http://www.securityfocus.com/news/11437. (Accessed: 06-Oct-2013).
[6] "Be a Millionaire: The Market for Zero-Day Software Exploits | Critical Start.” (Online). Available: http://www.criticalstart.com/2012/04/be-a-millionaire-the-market-for-zero-day-software-exploits/. (Accessed: 06-Oct-2013).
[7] R, Anderson, University of Cambridge, Home page. (Online). Available: http://www.cl.cam.ac.uk/~rja14/ (Accessed: 06-Oct-2013).
[8] H.-C. Joh and Y. K. Malaiya, "Seasonal variation in the vulnerability discovery process,” in Software Testing Verification and Validation, 2009. ICST’09. International Conference on, 2009, pp. 191–200.
[9] Karthik Kannan and Rahul Telang, Market for Software Vulnerabilities? Think Again, Management Science, Vol. 51, No. 5 (May, 2005), pp. 726-740.
[10] "White hat,” Search security. (Online). Available: http://searchsecurity.techtarget.com/definition/white-hat (Accessed: 06-Oct-2013).
[11] "HacK, CouNterHaCk | New York Times Magazine,” (Online). Available: http://www.nytimes.com/library/magazine/home/19991003mag-hackers.html. (Accessed: 06-Oct-2013).
[12] C. Miller, "The legitimate vulnerability market: the secretive world of 0-day exploit sales,” in Workshop on the Economics of Information Security (WEIS), 2007, pp. 7–8.
[13] D. McKinney, "Vulnerability Bazaar,” IEEE Security Privacy, vol. 5, no. 6, pp. 69–73, 2007.
[14] Andy Greenberg, Meet The Hackers Who Sell Spies The Tools To Crack Your PC, Forbes, March 21, 2012, bit.ly/11cbLC6
[15] M. Shahzad, M. Z. Shafiq, and A. X. Liu, "A large scale exploratory analysis of software vulnerability life cycles,” in 2012 34th International Conference on Software Engineering (ICSE), 2012, pp. 771–781.
[16] The Open Source Vulnerability Database. (Online). Available: http://www.osvdb.org. (Accessed: 06-Oct-2013).
[17] Arora, A.; Rahul Telang, "Economics of software vulnerability disclosure," Security & Privacy, IEEE, vol.3, no.1, pp.20, 25, Jan.-Feb. 2005.
[18] R. Böhme, "Vulnerability markets,” Proc. of 22C3, vol. 27, p. 30, 2005.
[19] R. Anderson, C. Barton, R. Böhme, R. Clayton, M. J. van Eeten, M. Levi, T. Moore, and S. Savage, "Measuring the cost of cybercrime,” in 11th Workshop on the Economics of Information Security, 2012.
[20] "Shopping For Zero-Days: A Price List For Hackers’ Secret Software Exploits - Forbes,” Forbes. (Online). Available: http://www.forbes.com/ sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/. (Accessed: 06-Oct-2013).
[21] "Google throws stacks of cash at hackers to publicly crack its Chrome browser,” VentureBeat. (Online). Available: http://venturebeat.com/ 2012/03/08/hackers-crack-chrome-in-publi/. (Accessed: 06-Oct-2013).
[22] "Cyber-security: The digital arms trade | The Economist.” (Online). Available: http://www.economist.com/news/business/21574478-market-software-helps-hackers-penetrate-computer-systems-digital-arms-trade. (Accessed: 06-Oct-2013).
[23] A. Ozment, "Bug auctions: Vulnerability markets reconsidered,” in Third Workshop on the Economics of Information Security, 2004.
[24] Vulnerability Reward Program for Google web properties. (Online). Available: http://www.google.com/about/appsecurity/reward-program/. (Accessed: 21-Jan-2014).
[25] Chrome Vulnerability Rewards Program. (Online). Available: http://www.chromium.org/Home/chromium-security/vulnerability-rewards-program. (Accessed: 21-Jan-2014).
[26] The Mozilla Security Bug Bounty Program. (Online). Available: http://www.mozilla.org/security/bug-bounty.html. (Accessed: 21-Jan-2014).
[27] Facebook rewards program. (Online). Available: https://www.facebook.com/whitehat/bounty/. (Accessed: 21-Jan-2014).
[28] Wordpress rewards program. (Online). Available: http://www.whitefirdesign.com/about/wordpress-security-bug-bounty-program.html. (Accessed: 06-Oct-2013).
[29] CCBill Vulnerability Reward Program. (Online). Available: http://www.ccbill.com/developers/security/vulnerability-reward-program.php. (Accessed: 21-Jan-2014].
[30] Microsoft Bounty Programs. (Online). Available: http://technet.microsoft.com/en-US/security/dn425036. (Accessed: 21-Jan-2014).
[31] "Microsoft Says No to Paying Bug Bounties,” Threatpost. (Online). Available: http://threatpost.com/microsoft-says-no-paying-bug-bounties-072210/. (Accessed: 06-Oct-2013).
[32] "The Shadowy World Of Selling Software Bugs - And How It Makes Us All Less Safe,” ReadWrite. (Online). Available: http://readwrite.com/ 2012/10/04/the-shadowy-world-of-selling-software-bugs-and-how-it-makes-us-all-less-safe. (Accessed: 06-Oct-2013).
[33] Secunia Vulnerability Coordination Reward Program (SVCRP). (Online). Available: http://secunia.com/community/research/svcrp/. (Accessed: 21-Jan-2014).
[34] ZDI Rewards Program. (Online). Available: http://www.zerodayinitiative.com/about/benefits/. (Accessed: 21-Jan-2014).
[35] Ryan Gallagher, "Cyberwar’s Gray Market- Should the secretive hacker zero-day exploit market be regulated?” Slate, Jan. 16, 2013.
[36] Michael Riley and Ashlee Vance "Cyber Weapons: The New Arms Race” BloomsbergBusinessWeek, July 20, 2011.
[37] "Schneier on Security: The Vulnerabilities Market and the Future of Security.” (Online). Available: https://www.schneier.com/blog/archives/ 2012/06/the_vulnerabili.html. (Accessed: 06-Oct-2013).
[38] "Stuxnet was work of U.S. and Israeli experts, officials say - The Washington Post.” (Online). Available: http://www.washingtonpost.com/world/national-security/stuxnet-was-work-of-us-and-israeli-experts-officials-say/2012/06/01/gJQAlnEy6U_story.html. (Accessed: 06-Oct-2013).
[39] "Black hat greed reducing software vulnerability report rate • The Register.” (Online). Available: http://www.theregister.co.uk/2013/02/ 26/grey_market_cuts_vulnerability_reporting/. (Accessed: 06-Oct-2013).
[40] "WabiSabiLabi may close 0day auction site.” (Online). Available: http://www.networkworld.com/news/2008/103008-wabisabilabi-may-close-0day-auction.html. (Accessed: 06-Oct-2013).
[41] S. Ransbotham, S. Mitra, and J. Ramsey, "Are markets for vulnerabilities effective?,” MIS Quarterly-Management Information Systems, vol. 36, no. 1, p. 43, 2012.
[42] "Cyber Weapons: The New Arms Race - Businessweek.” (Online). Available: http://www.businessweek.com/magazine/cyber-weapons-the-new-arms-race-07212011.html. (Accessed: 06-Oct-2013).
[43] "Welcome to the Malware-Industrial Complex | MIT Technology Review.” (Online). Available: http://www.technologyreview.com/news/ 507971/welcome-to-the-malware-industrial-complex/. (Accessed: 06-Oct-2013).
[44] Alhazmi, O.H.; Malaiya, Y.K., "Quantitative vulnerability assessment of systems software," Reliability and Maintainability Symposium, 2005. Proceedings. Annual, vol., no., pp.615, 620, Jan. 24-27, 2005.
[45] Ross Anderson and Tyler Moore, The Economics of Information Security, Science, 27 October 2006: 314 (5799), 610-613.
[46] Blog of r0t. (Online). Available: http://pridels-team.blogspot.com. (Accessed: 06-Oct-2013).
[47] main website of Janek Vind "waraxe”. (Online). Available: http://www.waraxe.us. (Accessed: 06-Oct-2013).
[48] Facebook’s account of Lostmon. (Online). Available: https://www.facebook.com/lostmon. (Accessed: 06-Oct-2013).
[49] Blog of Lostmon Lords. (Online). Available: http://lostmon.blogspot.com. (Accessed: 06-Oct-2013).
[50] Personal website of rgod. (Online). Available: http://retrogod.altervista.org. (Accessed: 06-Oct-2013).
[51] Personal website of Luigi Auriemma. (Online). Available: http://aluigi.altervista.org. (Accessed: 06-Oct-2013).
[52] Finifter, Matthew,Devdatta Akhawe, and David Wagner." An empirical study of vulnerability rewards programs."In USENIX Security.2013, 273-288
[53] H. Joh and Y. K. Malaiya, "Defining and Assessing Quantitative Security Risk Measures Using Vulnerability Lifecycle and CVSS Metrics,'' SAM'11, The 2011 International Conference on Security and Management, pp.10-16, 2011.
[54] Report: Eastern European Hackers More Sophisticated Than Asian Counterparts. (Online). Available: http://blogs.wsj.com/digits/2012/ 09/18/report-eastern-european-hackers-more-sophisticated-than-asian-counterparts/. (Accessed: 06-Oct-2013).
[55] "GCHQ Establishes Cyber Unit to Detect Software Vulnerabilities - IBTimes UK.” (Online). Available: http://www.ibtimes.co.uk/articles/ 448951/20130321/gchq-establishes-cyber-research-unit-search-software.htm. (Accessed: 06-Oct-2013).
[56] L. Allodi, W. Shim, and F. Massacci, "Quantitative assessment of risk reduction with cybercrime black market monitoring”. The 2013 IEEE Security and Privacy Workshops, pp. 165-172, 2013.