Home page logo
/

dailydave logo Dailydave mailing list archives

Re: Faster, smashter. (fwd)
From: Charles Miller <cmiller () securityevaluators com>
Date: Wed, 10 Dec 2008 09:28:34 -0600

I wrote some about this too:

http://weis2007.econinfosec.org/papers/29.pdf

I like the idea of a derivative market.  Its the only way I've heard  
where you can make money by dropping 0-days on full disclosure, for  
example.  The drawback is that I know I can make 100k for my IE  
exploit, but I don't know how much I can make by buying the "IE sucks"  
derivative.  There will only be so many people willing to buy the "IE  
is rock solid" one and once I start buying up the "IE sucks" one, it  
will be even harder to make a big score.

Charlie


On Dec 10, 2008, at 1:40 AM, Thorsten Holz wrote:

On Dec 10, 2008, at 3:19 AM, sinan.eren () immunitysec com wrote:

I would appreciate ideas to tie the value of a vulnerability to a
premium, any
quants who do security as well ?


Rainer Böhme discussed the idea of exploit derivatives and cyber-
insurances in a talk at CCC'05: http://events.ccc.de/congress/2005/fahrplan/events/801.en.html
There is also a paper from the Workshop on the Economics of
Information Security (WEIS 2005), in which Böhme discusses these ideas
in more detail: http://infosecon.net/workshop/pdf/15.pdf

Pretty interesting concept, but some obstacles need to be taken when
implementing such a market (monoculture, correlation of attacks and
such).

Cheers,
  Thorsten
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault