Re: Faster, smashter. (fwd)

[security curmudgeon <jericho () attrition org>]

: I have been thinking about a potential futures market model to hedge the 
: risk of software vulnerabilities. Perhaps a modified 
: Black-Scholes-Merton model that could be tied into Microsoft's 

I know little to nothing about economics but got curious about this model. 
One assumption of this model is "There are no arbitrage opportunities" 
which I read on to mean "in simple terms, a risk-free profit." Since 
this entire topic revolves around risks of some sort, defining risk in 
this context is up for debate, but it seems like a player in the market 
could opperate with 'no' risk if they choose. It also assumes "All 
securities are perfectly divisible (i.e. it is possible to buy any 
fraction of a share)" which doesn't seem to fit with the idea of selling a 
vulnerability, unless you break it down to "description" versus "proof of 
concept" versus "functional exploit" versus "wormified exploit"? 

: exploitability index to determine the premium on the future contract ? 
: Hedgers (companies, govermantal institutions, military etc.) could than 
: purchase these contracts from speculators (these could be us) to tie 
: their risk into a dollar amount. On the other hand researchers can sell 
: these contracts if they feel strongly about a software or inversely, buy 

On a very simple level, this could be achieved with a simple market 
auction system, akin to wslabi [1]. Rather than trade in developed 
exploits, players could post a wish-list and exploit writers could cherry 
pick ones of interest. Actually, less like wslabi, more like RentACoder 
[2].

: these contracts to cash in their 0day when it hits the public domain. We 
: need a fair market place for 0day (outside of the 2 known players whose 
: model benefits no one) and I believe futures market model is the way to 

There are more than 2 known players first off. I assume based on public 
perception and reputation you refer to iDefense and ZDI/TP? If so there 
are other buyers out there that use different models for 'purchase' 
including Digital Armaments [3] and their point based system that lets you 
buy/trade for other 0-days (more a vuln sharing club, and shady to some), 
wslabi.com and the vulnerability auction house as well as others that 
don't advertise, but certainly aren't totally secret.

: go. After all if you can hedge your exposure to weather, why can't you 
: hedge it against 0day ? It is not as crazy as it sounds ....

Absolutely not. But it seems like there are just as many variables, if not 
more, than many other well established markets. So not only do you have 
variables, you have the immaturity of the market to overcome in 
establishing all of this.

: I would appreciate ideas to tie the value of a vulnerability to a premium, any 
: quants who do security as well ?

I'd recommend you pose these questions to the Security Metrics list. [4]

jericho


[1] http://wslabi.com/wabisabilabi/home.do?
[2] http://www.rentacoder.com/RentACoder/DotNet/default.aspx
[3] http://digitalarmaments.com/
[4] http://www.securitymetrics.org/content/Wiki.jsp?page=MailingList
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave