Friday, January 29, 2010

Information Markets

Vulnerability data is a subset of a broader market in information. There's a great company called Intrade running a full market exchange based on boolean future facts (such and such will or will not happen). They were accurately predicting the Scott Brown victory well before it happened. Not a perfect system, but an interesting way to quantify the estimates being made and associated confidence metrics. You can email them to suggest new markets. Would be interesting to see the community suggest some 0-day related topics to price. The graphic shown lists the market price that the Higgs Boson Particle will be observed on/before 31 Dec 2010.

Also read an interesting article from ABC News using the recent Google compromise as an excuse to discuss the vulnerability market. Some of the more memorable quotes:
"Likely, they merely had to tap a thriving underground market, where a hole "wide enough to drive a truck through" can command hundreds of thousands of dollars, said Ken Silva, chief technology officer of VeriSign Inc. Such flaws can take months of full-time hacking to find." Zero days are the safest for attackers to use, but they're also the hardest to find," Silva said. "If it's not a zero day, it's not valuable at all.""
"Pedram Amini, manager of the Zero Day Initiative at the security firm TippingPoint, estimated that the IE flaw could have fetched as much as $40,000. He said even more valuable zero-day flaws are ones that can infect computers without any action on the users' part."
In this case, Microsoft actually knew about the flaw since September but hadn't planned to fix it until February, as companies sometimes prioritize fixing other problems and wait on the ones they haven't seen it used in attacks.
There's also another, highly secretive market for zero days: U.S. and other government agencies, which vie with criminals to offer the most money for the best vulnerabilities to improve their military and intelligence capabilities and shore up their defenses.
TippingPoint's Amini said he has heard of governments offering as high as $1 million for a single vulnerability — a price tag that private industry currently doesn't match.
Little is publicly known about such efforts, and the U.S. government typically makes deals through contractors, Amini said. Several U.S. government agencies contacted by The Associated Press did not respond to requests for comment.
One researcher who has been open about his experience is Charlie Miller, a former National Security Agency analyst who now works in the private sector with Independent Security Evaluators. Miller netted $50,000 from an unspecified U.S. government contractor for a bug he found in a version of the Linux operating system.
I had to chuckle at the line "Several U.S. government agencies contacted by The Associated Press did not respond to requests for comment." Go figure. My blog post on this topic with link's to Pedram and Charlie's papers as well as some companies that advertise their work in the domain is here.

Also of interest  is Google's announcement that they will be copying Mozilla in paying for vulnerabilities reported to them privately.  With Chrome and Firefox both monetizing this information (at arbitrary, as opposed to market prices) it remains to be seen how long Microsoft will hold out refusing to pay for third party research.