6533b7ddfe1ef96bd1273cf0

RESEARCH PRODUCT

Vulnerability Black Markets: Empirical Evidence and Scenario Simulation

Eliot RichJaziar RadiantiJose J. Gonzalez

subject

Responsible disclosureExploitComputer scienceSoftware security assuranceVulnerabilityContext (language use)Vulnerability managementEmpirical evidenceComputer securitycomputer.software_genrecomputerIndustrial organizationInsider

description

This paper discusses the manifest characteristics of online Vulnerability Black Markets (VBM), insider actors, interactions and mechanisms, obtained from masked observation. Because VBM transactions are hidden from general view, we trace their precursors as secondary evidence of their development and activity. More general attributes of VBMs and the exploits they discuss are identified. Finally, we introduce a simulation model that captures how vulnerability discoveries may be placed in a dual legal-black market context. We perform simulations and find that if legal markets expose vulnerabilities that go unresolved, the security and quality of software may suffer more than in the absence of a legal market. Thus the problem scope expands beyond vulnerability trading to one that requires active participation and reaction by software vendors.

yearjournalcountryeditionlanguage
2009-01-012009 42nd Hawaii International Conference on System Sciences
https://doi.org/10.1109/hicss.2009.504