Daily Archives: 2006-02-22

Towards a market price for insecurity

Security economics

There’s been a certain amount of research into the value of security holes in the past few years (for a starter bibliography see the “Economics of vulnerabilities” section on Ross Anderson’s “Economics and Security Resource Page”).

Both TippingPoint and iDefense who currently run vulnerability markets for zero day exploits are somewhat coy about saying what they currently pay (and they both have frequent contributor programmes to try and persuade people not to stick with one buyer, which will distort the market).

The idea is that the firms will bid for the vulnerability, pay the finder (who will keep it quiet) and then work with the vendor to get the hole fixed. In the meantime the firm’s customers will get protection (maybe by a firewall rule) for the new threat — which should attract more customers, and will hopefully pay for buying the vulnerabilities in the first place. The rest of the world gets to hear about it when the vendor finally ships a fix in the form of patches.

It was reported that when TippingPoint came in (giving the impression that they’d be paying out various multiples of $1000) iDefense promptly indicated they’d be doubling what they paid… which one source indicated was usually around $300 to $1000. So competition seems to have affected the market; but the prices paid are still quite low.

However, last December eWEEK reported that some enterprising Russians were offering a 0-day exploit for the Microsoft WMF vulnerability for $4,000 (and it might not have been exclusive, they might sell it to several people).

And now — until the end of March — iDefense are offering an extra $10,000 on top of what they’d normally pay if when Microsoft eventually issue a patch they label a vulnerability as “critical” (viz: you could use it to construct a worm that ran without user interaction).

eWEEK have an interesting article on this, the quotes in which deserve some attention for the (non)grasp of economics that appears to be involved. First off they quote Microsoft as saying “We do not believe that offering compensation for vulnerability information is the best way [researchers] can help protect customers”. That’s an interesting viewpoint — perhap’s they will be submitting a paper to support their view to WEIS 2006?

eWEEK say (they don’t have an exact quote) that Michael Sutton of iDefense “dismissed the notion that paying for vulnerabilities helps to push up the price for hackers who sell flaws on the illegal underground markets”. That suggests either a market in which communication of pricing information is extremely poor; or that Sutton has a new economic theory that will influence the Nobel committee!

In the same article, Peter Mell from NIST is quoted as saying it was “unfair” to concentrate on a single vendor (though I expect iDefense chose Microsoft for their market share and not by tossing a coin!). He was also apparently concerned about the influence on Bill Gates’ fortune, “A third party with a lot of money could cause stock price shifts if they want to”. That’s just “Stock Exchange Operations 101” so I think we can discount that as a specific worry (though WEIS 2005 attendees will of course recall that security holes do affect share prices).