Serge Egelman
Cormac Herley
Paul C. van Oorschot
ABSTRACT
A New Security Paradigms Workshop (2013) panel discussed the topic of ethical issues and implications related to markets for zero-day exploits, i.e., markets facilitating the sale of previously unknown details on how to exploit software vulnerabilities in target applications or systems. The related topic of vulnerability rewards programs ("bug bounties" offered by software vendors) was also discussed. This note provides selected background material submitted prior to the panel presentation, and summarizes discussion resulting from the input of both the panelists and NSPW participants.
- Rainer Böhme.A comparison of market approaches to software vulnerability disclosure. Proc. ETRICS 2006:Emerging Trends in Information and Communication Security, (International Conference),Freiburg, Germany, June 6--9 2006, Springer LNCS 3995, pp.298--311.Earlier version: Proc. of 22C3, Berlin (Dec.27--30 2005),Vulnerability Markets: What is the economic value of a zero-day exploit? Google Scholar
Digital Library
- Matthew Finifter, Devdatta Akhawe, David Wagner.An empirical study of vulnerability rewards programs.USENIX Security, 2013. Google ScholarDigital Library
- J. Finkle. Hacking expert wins more than US $100,000 exposing Microsoft security holes. http://www.theglobeandmail.com/Google Scholar
- Ryan Gallagher. Cyberwar's gray market: Should the secretive hackerzero-day exploit market be regulated? Jan.16, 2013, Slate magazine.http://www.slate.com/articles/technology/future_tense/2013/01/zero_day_exploits_should_the_hacker_gray_market_be_regulated.htmlGoogle Scholar
- Brian Gorenc. Pwn2Own 2013 (blog). Jan.17, 2013.http://dvlabs.tippingpoint.com/blog/2013/01/17/pwn2own-2013Google Scholar
- Andy Greenberg.Meet the hackers who sell spies the toolsto crack your PC (and get paid six-figure fees). March 21, 2012 online; also in April 9, 2012 issue of Forbes magazine. http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-feesGoogle Scholar
- Andy Greenberg. Shopping for zero-days: A price list for hackers' secret software exploits. March 23, 2012 online; also in April 9, 2012 issue of Forbes magazine. http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/Google Scholar
- Marcia Hofmann and Trevor Timm. Electronic Frontier Foundation."Zero-day" exploit sales should be key point in cybersecurity debate. Mar.29, 2012.https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales-should-be-key-point-cybersecurity-debate\newpageGoogle Scholar
- Charlie Miller. The legitimate vulnerability market: Inside the secretive world of 0-day exploit sales. WEIS 2007.Google Scholar
- Milton Mueller. Regulating the market for zero-day exploits: look to the demand side. March 15, 2013. http://techliberation.com/2013/03/15/regulating-the-market-for-zero-day-exploits-look-to-the-demand-side/Google Scholar
- Andy Ozment. Bug auctions: Vulnerability markets reconsidered. WEIS 2004.Google Scholar
- Andy Ozment. The likelihood of vulnerability rediscovery and the social utility of vulnerability hunting. WEIS 2005.Google Scholar
- Eric Rescorla. Is finding security holes a good idea? IEEE Security and Privacy 3(1):14--19 (Jan.2005).WEIS 2004 version available (18 pages, updated 7 Feb. 2005).See also: E. Resorla, "Security Holes ... Who Cares?", USENIX Security 2003. Google ScholarDigital Library
- Jordan Robertson. 'Zero-day' black market--Where hackers buy secrets to exploit tech flaws. Jan.31, 2010. WRAL TechWire. http://wraltechwire.com/business/tech_wire/news/blogpost/6931357/Google Scholar
- S. Schechter. Computer Security Strength and Risk: A Quantitative Approach. Ph.D. thesis, Harvard, 2004. Google ScholarDigital Library
- B. Schneier. The vulnerabilities market and the future of security.May 30, 2012.http://www.forbes.com/sites/bruceschneier/2012/05/30/the-vulnerabilities-market-and-the-future-of-security/ same article in his blog: http://www.schneier.com/blog/archives/2012/06/the_vulnerabili.htmlGoogle Scholar
- Z. Xu, Q. Hu, C. Zhang. Why computer talents become computer hackers. C. ACM 58(4):64--74 (Apr.2013). Google ScholarDigital Library
Index Terms
- Markets for zero-day exploits: ethics and implications
Recommendations
A threat pattern for the "cross-site scripting (XSS)" attack
PLoP '15: Proceedings of the 22nd Conference on Pattern Languages of ProgramsWe present a threat pattern that describes cross-site scripting (XSS) attacks. In this attack attackers insert scripts in web applications that will lead to misuses in a target web application. Cross-Site Scripting is listed as number three risk on the ...
Quantitative Assessment of Risk Reduction with Cybercrime Black Market Monitoring
SPW '13: Proceedings of the 2013 IEEE Security and Privacy WorkshopsCybercrime is notoriously maintained and empowered by the underground economy,manifested in black markets. In such markets, attack tools and vulnerability exploitsare constantly traded. In this paper, we focus on making a quantitative assessment of the ...
Comments