What drives developers to seek out and submit vulnerabilities to companies, and how can companies tackle black market sales? HackerOne pledged to find out.
In a new research paper published Tuesday, security response and bug bounty organization HackerOne, led by the firm's Chief Policy Officer and former Microsoft Bug Bounty creator Katie Moussouris, teamed up with economy and policy experts from MIT and Harvard to explore the dynamics of the zero-day market.
The team found the vulnerability market is not driven by cold, hard cash alone, but incentives are a critical component in the Security Development Lifecycle -- the time period in which companies focus on making their products as secure and bug-free as possible.
When a new product is launched, such as the latest version of Windows, a race begins in both the offense and defense markets to find software vulnerabilities. In the offense sphere, vulnerabilities may be sold on the black market for high prices or used individually to break a system. However, white-hat security professionals in the defense market may be looking for security flaws in order to submit them to bug bounty programs or simply alert companies for the prestige.
In the past, it was common for independent researchers to alert companies of vulnerabilities in their products for little more than a reputation boost and credit. However, as cybersecurity becomes a critical issue, there are many ways to monetize these skills -- and few people will turn away from financial incentives. In addition, the sales possibilities of selling vulnerability details in both offensive and defensive markets have increased.
The problem companies face is that players in the offensive market are often willing to pay very high prices for vulnerabilities. Therefore, Moussouris and the research teams decided to find out what market dynamics could tip the odds in the favor of corporate, defensive players.
The goal of the team's research was to build a model which examined the levers of the market. Theories, economic models and the current security landscape were analyzed, together with the forces of supply and demand.
In a paper titled "The Wolves of Vuln Street - The first system dynamics model of the 0-day market," the team found that the vulnerability market is not controlled by price alone. In addition, bug bounties are still effective in vulnerability discovery -- and creating incentives for tools and techniques which support vulnerability discovery are efficient ways for defenders to drain the offensive zero-day stockpile.
While price is considered a key lever in the vulnerability market, Moussouris argues that if governments or companies try to compete against the black market and offer six-figure discovery rewards, these large payouts could have an adverse effect. The developer and tester talent pool could be drained as bounties -- submitted a few times a year -- would cover salaries, leaving few skilled staff in tech firms to actually fix the bugs.
"Defenders can certainly get bugs faster by creating incentives for individual vulnerabilities, but an important limit to recognize here is that there is a ceiling on the prices they can offer without creating perverse incentives and undesirable consequences," Moussouris argues.
The team says that "more eyes can only get you so far" in vulnerability discovery. Additional eyes and money can help, but offering bounties for individual bugs or software is a more effective method -- especially for less mature software. In addition, making better tools available for security professionals can more quickly drain the black market of vulnerabilities as discovery would become more efficient -- even with fewer researchers on the case.
There are a number of ways the industry can respond to such findings, Moussouris says. Organizations should invest substantial funding within their Security Development Lifecycle, offer bug bounties and incentives for developers to improve the security of their products, whereas hackers in turn should research better tools and techniques to improve their marketability as security experts. Moussouris commented:
"In the end, the tug of war between attackers and defenders will always exist. How we structure incentives toward making offense more expensive for attackers and giving more defenders and advantage is the question. There are more levers to tip the scales from one side to the other than just money, and defenders need to begin to use them.
The Wolves of Vuln Street are among us, yet we are studying the dynamics of the pack to make the shepherds of Internet defense more effective."