The economics of selling security vulnerabilities – or there is a market for everything

Posted on by Gerlinde Zibulski

When I studied Economics in the 90ies, Gary S Becker received the Nobel Price for his extension of the microeconomic analysis to include human behavior and social aspects including marriage, discrimination and for example having sex with your spouse. That raised a few eye-browse back then.

Nowadays I am wondering when an economist will publish a paper on the market of selling security vulnerabilities given that a French brokering firm for security vulnerabilities has just published the offer to pay 1 million US Dollars for a specific mobile phone operating system vulnerability.

Now they might just want to create a marketing buzz for their company, but just imagine which aspects a researcher could analyze…

Is this a supply driven or a demand-driven economy? Assuming that security researchers will not run out of a job anytime soon, the supply of zero day exploits should remain on its current level and will continue to do so for the forseeable future. It seems to me that the market for security vulnerabilities is a market where well coined buyers request specific zero day exploits for specific IT systems especially combinations of operating systems, browsers, email systems and databases. So it sounds more like a demand-driven economy to me, which is contrary to the current trend of the western capitalist world to favor supply driven economic policies.

Given that the prices paid seem rather high the market for security vulnerabilities ranges more amongst the market of luxury goods. They are so expensive because of their material cost, their creation as well as their brand name. However, some of the security researchers (aka hackers) might want to act without their real identity (their brand) to be known. That is one of the reasons why this market works with intermediaries which connect buyers to sellers. Another contrasting finding since the major trend in retail makes intermediaries unnecessary when customers can order directly from the manufacturer online or via one of the major online platforms. Makes you wonder when the first security vulnerability will be sold via the market leading online platforms… Or when you can see it auctioned off on…

Some buyers require unique usage rights of security vulnerabilities for which they are willing to pay a higher price. In other words, a seller should not resell it again. But honestly how would a buyer ever go about enforcing this or how would they even find out…

Many economists stress the point of liberal and unregulated markets, where “laissez faire” is the guiding principle. Whoever is willing to pay the highest price should be able to acquire the ordered zero day vulnerability…

If one wanted to regulate this market, how would they go about it? For the longest time cryptography has been considered a weapon and the import and export of weapons is strongly regulated. Even if you were able to set up rules amongst the military-industrial complex within a larger group of nations, there is absolutely no way that you will convince organizations that do not care about adhering to laws least to speak regulations like terrorist organizations from acquiring security vulnerabilities.

I think it’s high time that someone writes a PhD thesis about the market of selling security vulnerabilities.

The topic definitely gives Schumpeter’s law of “creative destruction” a whole new spin. 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.