mailing list archives
Re: Faster, smashter. (fwd)
From: security curmudgeon <jericho () attrition org>
Date: Wed, 10 Dec 2008 04:28:12 +0000 (UTC)
: I have been thinking about a potential futures market model to hedge the
: risk of software vulnerabilities. Perhaps a modified
: Black-Scholes-Merton model that could be tied into Microsoft's
I know little to nothing about economics but got curious about this model.
One assumption of this model is "There are no arbitrage opportunities"
which I read on to mean "in simple terms, a risk-free profit." Since
this entire topic revolves around risks of some sort, defining risk in
this context is up for debate, but it seems like a player in the market
could opperate with 'no' risk if they choose. It also assumes "All
securities are perfectly divisible (i.e. it is possible to buy any
fraction of a share)" which doesn't seem to fit with the idea of selling a
vulnerability, unless you break it down to "description" versus "proof of
concept" versus "functional exploit" versus "wormified exploit"?
: exploitability index to determine the premium on the future contract ?
: Hedgers (companies, govermantal institutions, military etc.) could than
: purchase these contracts from speculators (these could be us) to tie
: their risk into a dollar amount. On the other hand researchers can sell
: these contracts if they feel strongly about a software or inversely, buy
On a very simple level, this could be achieved with a simple market
auction system, akin to wslabi . Rather than trade in developed
exploits, players could post a wish-list and exploit writers could cherry
pick ones of interest. Actually, less like wslabi, more like RentACoder
: these contracts to cash in their 0day when it hits the public domain. We
: need a fair market place for 0day (outside of the 2 known players whose
: model benefits no one) and I believe futures market model is the way to
There are more than 2 known players first off. I assume based on public
perception and reputation you refer to iDefense and ZDI/TP? If so there
are other buyers out there that use different models for 'purchase'
including Digital Armaments  and their point based system that lets you
buy/trade for other 0-days (more a vuln sharing club, and shady to some),
wslabi.com and the vulnerability auction house as well as others that
don't advertise, but certainly aren't totally secret.
: go. After all if you can hedge your exposure to weather, why can't you
: hedge it against 0day ? It is not as crazy as it sounds ....
Absolutely not. But it seems like there are just as many variables, if not
more, than many other well established markets. So not only do you have
variables, you have the immaturity of the market to overcome in
establishing all of this.
: I would appreciate ideas to tie the value of a vulnerability to a premium, any
: quants who do security as well ?
I'd recommend you pose these questions to the Security Metrics list. 
Dailydave mailing list
Dailydave () lists immunitysec com
Re: Faster, smashter. (fwd) sinan . eren (Dec 11)
Re: Faster, smashter. (fwd) Robert Lemos (Dec 12)
Re: Faster, smashter. (fwd) Thorsten Holz (Dec 10)