Legitimate Vulnerability Markets By: Jeff Wheeler

Introduction Software Vulnerability Markets –Why do they exist? Vendors create vulnerable software –Rush to market –Inadequate testing To make money –On the Black Market –In Legitimate Markets –Who participates? White hat parties Black hat parties Vendors

Introduction –Who facilitates the transactions? Government, Open Market, Software Vendors –How can these markets operate? Auction based Computer Emergency Response Team(CERT) Consortium Based Federally Funded –What are the incentives to or not to participate in these markets? Non-disclosure Partial-disclosure Full-disclosure

A simple Software Lifecycle

Why do Vulnerability Markets Exist? Rush to market –Software Vendors agendas are not necessarily in our best interest Increasing Software Complexity Software Testing only works so well Software will have bugs the developer does not find People are willing to pay for bug information –White Hat –Black Hat

White Hat versus Black Hat White Hat Community –Exist for the greater good of all or specific groups –Does not use vulnerability information to harm others –In general, attempt to bring about more secure software Black Hat Community –Use vulnerabilities to gain access or harm others –In general, breaking one or many laws Liberal Democrats

Bug Lifecycle

Who Facilitates these Transactions? Government Motivation –National Security Prevent Attacks that could leak government secrets Gain access to foreign networks for preventative information retrieval Cyber Warfare –Espionage, propaganda, DOS –Social Welfare

Who Facilitates these Transactions? Open Market –Profit motivation –Product is unique vulnerability information Are not necessarily disclosed to the vendor –Vendor disclosure is not always the best option This information is valuable to companies with secure infrastructure needs –Capable of offering the most compensation for information Creates a larger community of software testers

Who Facilitates these Transactions? Software Vendor –Motivations Looks Bad when other markets exist that do better than the vendor at securing their own product –Problems Do not usually offer money –It is the right thing to do to submit bugs to the vendor to fix –They have not done it in the past –It will create a battleground for vulnerability information between them and competition –Make them subject to blackmail

How can these markets operate? Auction Like –Benefit Increases participation –Fair market price –Compensation increases based on severity of bug –A well setup market High initial bug value Combine monetary and reputation reward –Monetary reward less if found in forums or black market Guaranteed minimum amount of money available to market Guaranteed minimum amount of time the market will be open for participation

How can these markets operate? Computer Emergency Response Team Model –Collection - We collect vulnerability reports in two ways: monitoring public sources of vulnerability information and processing reports sent directly to us. After receiving reports, we perform an initial surface analysis to eliminate duplicates and false alarms, and then catalog the reports in our database. –Analysis - Once the vulnerabilities are cataloged, we determine general severity, considering factors such as the number of affected systems, impact, and attack scenarios. Based on severity and other attributes, we select vulnerabilities for further analysis. Our analysis includes background research, runtime and static analysis, reproduction in our test facilities, and consultation with vendors and other experts. –Coordination - When handling direct reports, we work privately with vendors to address vulnerabilities before widespread public disclosure. We have established, secure communication channels with hundreds of technology producers, both directly and through relationships with computer security incident response teams (CSIRTs) all over the world. We have years of experience successfully coordinating responses to vulnerabilities that affect multiple vendors.computer security incident response teams (CSIRTs) –Disclosure - After coordinating with vendors, we take steps to notify critical audiences and the public about the vulnerabilities. To the best of our ability, we produce accurate, objective technical information focused on solutions and mitigation techniques. Targeting a technical audience (administrators and others who are responsible for securing systems), we provide sufficient information to make an informed decision about risk.

How can these markets operate? Consortium Model –Group of organizations gather together funds to cover expenses involved in the gathering of vulnerability information –Not for profit –Only helps those within the consortiums members, unless they disclose

How can these markets operate? Federally Funded –Government supplies funds for the purchase of vulnerability information –No direct charge to users –Helps largest amount of users Organizations still require the other models –Makes the public feel safe –Allows for easier government eavesdropping if they operate

Incentives and disincentives for Disclosure Non-Disclosure –Always benefits aware black hat parties –Individual white hat discovery and disclosure would cause many systems to become vulnerable during patching Partial Disclosure (vendor disclosure) –Vendor may determine it will not be found again, so why patch? –After patch release, many systems will remain un-patched and vulnerable

Incentives and disincentives for Disclosure Full-Disclosure –Ensures black hat and white hat community is aware of vulnerability –Gives everyone a fair shot at protecting themselves –Vendor patch will be released sooner, assumption –Leads to negative software vendor image, possibly leading to more time testing?