Bugs in the Market: Creating a Legitimate, Transparent, and Vendor-Focused Market for Software Vulnerabilities

Abstract

Ukraine, December 23, 2015. Hundreds of thousands of homes lost power. Call center communications were blocked. Authorities reported that 103 cities experienced a total blackout. The alleged cause? BlackEnergy malware. With so much of our daily lives reliant on computers, is modern civilization just a stream of ones and zeroes away from disaster?Malware like BlackEnergy relies on uncorrected security flaws in computer systems. Sometimes, the system owner fails to install a patch. Other times, there is no patch because the software vendor either did not know about or did not correct a critical security flaw. Meanwhile, the victim country’s government or their allies may have knowledge of the same flaw, but they were keeping the information secret so that they could use it against enemy states. There is an urgent need for a new legal and economic approach to cybersecurity that will curtail socially harmful behavior by security researchers and governments. Laws aimed at curbing cyberattacks typically focus on punishment, with little to no wiggle room provided for socially beneficial hacking behavior. Around the world, governments hoard zero day vulnerabilities while permitting software vendors to sue security researchers who plan to demonstrate critical security flaws at industry conferences. There is also a growing market for buying and selling security flaws, and the buyers do not always have society's best interests in mind. This Article delves into the world of cybersecurity and software and provides an interdisciplinary analysis of the current crisis. We present an economic model to explore incentives for selling vulnerability information in different types of markets. We then propose and design a revolutionary market for vulnerabilities aimed at facilitating legitimate, transparent, and vendor-focused transactions of critical security information at a fair market price. Our proposal brings together insights from economics, security, and law, and we provide examples for how such a market would function. Our market design draws inspiration from around the world, from commodity futures markets in New York and Chicago to archaeological sites in Iraq. Cyber threats cannot be contained by traditional philosophies of war and weaponry. The literature in this area is very limited but growing, and we present our proposal as a practical and achievable approach that will support socially desirable cybersecurity practices.