Posted on | September 23, 2013 | 1 comment
(Editor’s note: This summer the New York Times reported on how both the U.S. and Iranian governments planned to pay steep bounties for newly discovered hardware and software vulnerabilities. In this guest essay, Morten R. Stengaard, chief technical officer at IT security firm , Secunia, examines the wider implications.)
So what if it became a common practice for government agencies to begin outbidding vendors like Microsoft, Google and Apple for information about unpatched software vulnerabilities – often referred to as zero-day flaws?
Presumably the government agencies would not disclose the flaws, for the greater good, so fixes could get undeway. Instead, they would use them to target the infrastructures of other nations.
Arguably, in the short-term this can be seen as a challenge. But long-term, governments entering and disrupting the market for software vulnerabilities could potentially be beneficial.
This could actually help to create a mature market for vulnerability research, with proper incentives and rewards.
HISTORICAL CONTEXT:The long road from Code Red
It’s simple economics. When nations like the United States enter the market for information about software vulnerabilities, and are willing to pay prices higher than anything the market has seen before, obviously the average market price goes up.
This is boosted by other nations entering the market, as well as vendors like Microsoft and Google who increase the prices they are willing to pay to get access to said information, thereby driving up demand and prices even further. In the short-term this disruption of the market is indeed a challenge, because in a market where the supply of information is constant, with some vulnerabilities now being sold to government agencies, fewer vulnerabilities will be sold to the vendors for these to fix.
Since the financial incentives have now become much more interesting, more researchers invest additional time in looking for vulnerabilities in software – what the New York Times article refers to as a “gold rush”.
It is obvious that the supply of information about software vulnerabilities in the market will increase, establishing a new equilibrium; what is not clear, however, is whether prices in this new equilibrium will be higher or lower than before the disruption – this will depend on the shift in demand, relative to the shift in supply.
In essence, if the increase in information about software vulnerabilities being offered to the market is relatively larger than the increase in demand from buyers, it is possible that the new balance could in fact result in lower prices in the long term.
Another important fact to consider is that it is highly likely that in some instances, the same vulnerabilities are discovered by several researchers, and that the information about these is then offered to the market from multiple sources, allowing multiple buyers to obtain it.
If a government agency for example buys information about a vulnerability, after which the same vulnerability is discovered by another researcher, naturally there is one less buyer in the market. It could be that the buyer that is now willing to pay the highest price is in fact the software vendor behind the vulnerable product, who will actually fix the flaw. Naturally, this implies that software vendors will have to step up and pay higher prices for the information, which Microsoft is already doing.
I believe one has to take a more holistic view on the market for information about software vulnerabilities and how it is maturing. Clearly, the days where the most you could get in return for information about software vulnerabilities was a T-shirt and your name mentioned when the vulnerability was disclosed are over.
The important point though is that price hikes are often seen when markets mature, and in my opinion it is unlikely that prices of $500,000 – as the example mentioned above – will be the new standard.
What is certain, though, is that more buyers willing to pay higher prices will spur an increase in incentive for researchers looking for software vulnerabilities, and thereby a bigger and more mature market will be created. This, I believe, is good.