Revenue Maximizing Markets for Zero-Day Exploits

TL;DR

This paper models zero-day exploit markets as revenue-maximizing mechanisms involving multiple buyers with conflicting interests, proposing a novel auction mechanism that accounts for externalities and information disclosure challenges.

Contribution

It introduces a theoretical model for zero-day exploit markets with multiple buyers and externalities, and designs a mechanism to maximize revenue considering information disclosure issues.

Findings

The proposed mechanism accounts for externalities between defenders and offenders.

Disclosing exploit details to offenders before auction influences buyer valuations.

The mechanism optimizes revenue by balancing disclosure and delay strategies.

Abstract

Markets for zero-day exploits (software vulnerabilities unknown to the vendor) have a long history and a growing popularity. We study these markets from a revenue-maximizing mechanism design perspective. We first propose a theoretical model for zero-day exploits markets. In our model, one exploit is being sold to multiple buyers. There are two kinds of buyers, which we call the defenders and the offenders. The defenders are buyers who buy vulnerabilities in order to fix them (e.g., software vendors). The offenders, on the other hand, are buyers who intend to utilize the exploits (e.g., national security agencies and police). Our model is more than a single-item auction. First, an exploit is a piece of information, so one exploit can be sold to multiple buyers. Second, buyers have externalities. If one defender wins, then the exploit becomes worthless to the offenders. Third, if we disclose the details of the exploit to the buyers before the auction, then they may leave with the information without paying. On the other hand, if we do not disclose the details, then it is difficult for the buyers to come up with their private valuations. Considering the above, our proposed mechanism discloses the details of the exploit to all offenders before the auction. The offenders then pay to delay the exploit being disclosed to the defenders.