Bugs in the Market: Creating a Legitimate, Transparent, and Vendor-Focused Market for Software Vulnerabilities

Ukraine, December 23, 2015. Hundreds of thousands of homes lost power. Call center communications were blocked. Authorities reported that 103 cities experienced a total blackout. The alleged cause? BlackEnergy malware. With so much of our daily lives reliant on computers, is modern civilization just a stream of ones and zeroes away from disaster?

Malware like BlackEnergy relies on uncorrected security flaws in computer systems. Sometimes, the system owner fails to install a patch. Other times, there is no patch because the software vendor either did not know about or did not correct a critical security flaw. Meanwhile, the victim country’s government or its allies may have knowledge of the same flaw, but kept the information secret so that it could be used against its enemies.

There is an urgent need for a new legal and economic approach to cybersecurity that will curtail socially harmful behavior by security researchers and governments. Laws aimed at curbing cyberattacks typically focus on punishment, with little to no wiggle room provided for socially beneficial hacking behavior. Around the world, governments hoard zero-day vulnerabilities while permitting software vendors to sue security researchers who plan to demonstrate critical security flaws at industry conferences. There is also a growing market for buying and selling security flaws, and the buyers do not always have society’s best interests in mind.

This Article delves into the world of cybersecurity and software and provides an interdisciplinary analysis of the current crisis, contributing to the limited but growing literature addressing these new threats that cannot be contained by traditional philosophies of war and weaponry. First, the Article presents an economic model to explore incentives for selling vulnerability information in different types of markets. Then, it proposes and designs a revolutionary market for vulnerabilities aimed at facilitating legitimate, transparent, and vendor-focused transactions of critical security information at a fair market price. The proposal combines insights from economics, security, and law, and draws inspiration from around the world; from commodity futures markets in New York to archaeological sites in Iraq. The Article applies the marketplace proposal to several examples, demonstrating that it is a practical and achievable approach that will support socially desirable cybersecurity practices.