Abstract for: A Quest for a Framework to Improve Software Security: Vulnerability Black Markets Scenario
There are numerous discussions on possible leverage points in improving software quality and they have been placed in various context--from technical approach, improving user education to economic approach. One of central points of the discussions is on the best policy to handle vulnerability discoveries. Various approaches have been developed: from secret reporting, full-disclosure, responsible disclosure to a market approach. The dominant aspect of the latter is about the Vulnerability Black Market (VBM), which emerged due to the latter development, as an alternative for malicious hackers to sell exploits and malware that take advantage of the flaws in the software. The model in this paper draws on empirical observation on black markets and market-based approach for vulnerability discovery to generate a simple model of VBM. The model results suggest that efficient legal markets may attract malicious hackers to enter the legal markets and may reduce their likelihood to be involved in vulnerability black markets. However, better patching management may mitigate the abuse of software vulnerabilities.