Regulating vulnerability markets

May 19, 2014


Didn’t read it?  It’s about how the US should regulate the “0-day vulnerability marketplace” so that “bad guys” can’t get the “0-days”.

There is an underlying flaw in the thinking, which may be pervasive in the beltway cyber-echo-chamber, that vulnerabilities are things — things that someone invents or manufactures.  Vulnerabilities (in the 0-day or Øday or whatever sense) are not inventions.  They are facts that are discovered.  It is an important distinction.  A working exploit is the result of occasional invention on the part of the researcher, but the flaw being exploited is not.

Understanding what a security flaw is helps deconstruct the idea of a “Øday vulnerability marketplace”.  The purchasers in this market are not “buying 0-dayz”.  They are outsourcing vulnerability research and testing.  More to the point, they are outsourcing it as piece-work.  The sellers in this market are engaging in a race/lottery to get paid.

Microsoft, Google, The NSA, etc. have the capability to discover software and hardware security flaws.  In addition to this work, they offer bounties (payment) to any and all comers (or those on a procurement schedule) for usable discoveries.  There are incredible advantages to doing this.

The purchaser pays once to acquire the discovery — the fact.  The seller gets paid a decent amount that made searching for and verifying the vulnerability worthwhile.  Say Google paid $25K for a Chrome vulnerability, which the seller took 95 hours to find and a few hours to weaponize.  The seller earns $250/hr for a labor of love.

What Google isn’t paying for is the hundreds of people who each looked at the same thing and either didn’t see the vulnerability, or brought it to Google a little too late.  That is thousands and thousands of of hours of effort that doesn’t hit Google’s bottom line.  If Google could only rely on their own search for vulnerabilities, they may well have to spend all that extra time and effort themselves to get the same result.

The second conceptual flaw is that this visible market mechanism (that happens to be currently in the news) is the main method by which bad actors are acquiring their discovered facts.  Some research in the matter would show the dedicated student that this is often the exact reverse of reality.

Attempting to regulate the transfer of this kind of knowledge hasn’t worked before.  The discovery of facts happens simultaneously, and is not tied to a particular geography or people.  Regulating the outsourcing of vulnerability research with the aim of preventing your enemies from acquiring the products of research is naive.  It assumes that your enemies are in fact tied to this outsourcing marketplace, and are unable to perform their own research.

For consideration:  When some seedy beltway contractor snags a vBulletin exploit off of a Romanian hacker forum, scrubs the author information, then turns around to sell it to the NSA, there is nothing in the transaction that stops the  People’s Liberation Army (cue scary music) from finding that same exploit on that same forum, discovering the flaw themselves, or paying similar government cronies in Beijing  for the same effort.

%d bloggers like this: