Revenue maximizing markets for zero-day exploits

Abstract

Markets for zero-day exploits (software vulnerabilities unknown to the software vendor) have a long history and a growing popularity. We study these markets from a revenue-maximizing mechanism design perspective. We first propose a theoretical model for zero-day exploits markets. In our model, one exploit is being sold to multiple buyers. There are two kinds of buyers, which we call the defenders and the offenders. The defenders are buyers who buy vulnerabilities in order to fix them (e.g., software vendors). The offenders, on the other hand, are buyers who intend to utilize the exploits (e.g., national security agencies and police). We study the problem of selling one zero-day exploit to multiple defenders and offenders. Our model has a few unique features that make it different from single-item auctions. First, an exploit is a piece of information, so one exploit can be sold to multiple buyers. Second, buyers have externalities. If any defender wins, then the exploit becomes worthless to the offenders. Third, if the auctioneer discloses the details of the exploit to the buyers before the auction, then they may leave with the information without paying. On the other hand, if the auctioneer does not disclose enough details, then the buyers cannot determine how valuable the exploit is. Considering the above, our proposed mechanism discloses the details of the exploit to all offenders at the beginning of the auction. The defenders will receive the information slightly delayed. The offenders bid to prolong the delay and the defenders bid to shorten the delay. We derive the optimal mechanism for single-parameter valuations. For general valuations, we propose three numerical solution techniques. One is based on iterative linear programming and the other two are based on neural networks and evolutionary computation.