Market for zero-day exploits

The market for zero-day exploits is commercial activity related to the trafficking of software exploits.

Software vulnerabilities and "exploits" are used to get remote access to both stored information and information generated in real time. When most people use the same software, as is the case in most of countries today given the monopolistic nature of internet content and service providers, one specific vulnerability can be used against thousands if not millions of people. In this context, criminals have become interested in such vulnerabilities. A 2014 report from McAfee's Center for Strategic and International Studies estimates that the cost of cybercrime and cyberespionage is somewhere around $160 billion per year.[1] Worldwide, countries have appointed public institutions to deal with this issue, but they will likely conflict with the interest of their own government to access people's information in order to prevent crime.[2] As a result, both national security agencies and criminals hide certain software vulnerabilities from both users and the original developer. This type of vulnerability is known as a zero-day exploit.

Much has been said in academia and regular media about the regulation of zero-day exploits in the market. However, it is very difficult to reach a consensus because most definitions for zero-day exploits are rather vague or not applicable, as one can only define the use of certain software as malware after it has been used.[2] In addition, there is a conflict of interest within the operations of the state that could prevent a regulation that can make mandatory the disclosure of zero-days. Governments face a trade-off between protecting their citizens' privacy through the reporting of vulnerabilities to private companies on one hand and undermining the communication technologies used by their targets—who also threaten the security of the public—on the other.[3] The protection of national security through exploitation of software vulnerabilities unknown to both companies and the public is an ultimate resource for security agencies but also compromises the safety of every single user because any third party, including criminal organizations, could be making use of the same resource.[4] Hence, only users and private firms have incentives to minimize the risks associated with zero-day exploits; the former to avoid an invasion of privacy and the latter to reduce the costs of data breaches. These include legal processes, costs related to the development of solutions to fix or "patch" the original vulnerability in the software and costs associated with the loss of confidence of clients in the product.[5]

  1. ^ Losses, N. (2014). Estimating the Global Cost of Cybercrime. McAfee, Centre for Strategic & International Studies.
  2. ^ a b Bellovin, S. M., Blaze, M., Clark, S., & Landau, S. (2014). Lawful hacking: Using existing vulnerabilities for wiretapping on the Internet. Nw. J. Tech. & Intell. Prop., 12, i.
  3. ^ Choi, J. P., Fershtman, C., & Gandal, N. (2010). Network security: Vulnerabilities and disclosure policy*. The Journal of Industrial Economics, 58(4), 868-894.
  4. ^ Afidler, M., Granick, J., & Crenshaw, M. (2014). Anarchy or Regulation: Controlling The Global Trade in Zero-Day Vulnerabilities (Doctoral dissertation, Master Thesis. Stanford University, URL: https://stacks.stanford.edu/file/druid:zs241cm7504/Zero-Day%20Vulnerability%20Thesis%20by%20Fidler.pdf).
  5. ^ Cite error: The named reference radianti was invoked but never defined (see the help page).