A Survey of Vulnerability MarketsReturn to TOC presented at FIRST 2014

by Art Manion,

Summary : The past several years have seen growth in markets for information about software vulnerabilities. Vendors offer bug bounties, brokers arrange transactions between buyers and sellers, and offensive-minded firms discover and sell vulnerabilities (usually in the form of exploits) to subscribers. Technical information and weaponized exploits aren't traded by themselves -- exclusivity and secrecy are what give information value in these markets. What are the key similarities and differences between markets? What does market growth mean for public policy around vulnerability disclosure? What data is even available to attempt to answer these questions? Come hear the results of our survey and discuss the implications of evolving vulnerability markets.