Vulnerability markets

Information on vulnerabilities and information security threads is very valuable. And, in fact, there is a big market, but it’s neither structured nor liquid. Seriously thinking about this fact leads to a couple of questions: Would we live in a more secure world if every geek could go and sell his exploit at the market price? How could this market eventually be organised? What are the incentives of market participants and where are dangers for conflicts of interest?

Rainer Böhme holds a degree in communication science, economics and computer science. He is researcher in the privacy and security group of Technical University of Dresden. His particular interests include steganography and steganalysis, economics of information security as well as behavioural aspects of privacy and security. He has authored or co-authored several papers in these fields and contributed to a number of open source projects.

In the lecture Vulnerability markets – What is the economic value of a zero-day exploit? Rainer will combine examples from real world information security business with academic arguments on the pros and cons of vulnerability markets, including vulnerability sharing circles, bug auctions, remote root derivatives, and cyber-insurance.

We are aware that this is a very controversial topic, but we are looking forward to have Rainer on this journey to a hypothetical world where information security is entirely melted into finance so that S&P quotes a daily kernel hardness index.