Dailydave mailing list archives
Re: Faster, smashter. (fwd)
From: security curmudgeon <jericho () attrition org>
Date: Wed, 10 Dec 2008 04:28:12 +0000 (UTC)
: I have been thinking about a potential futures market model to hedge the : risk of software vulnerabilities. Perhaps a modified : Black-Scholes-Merton model that could be tied into Microsoft's I know little to nothing about economics but got curious about this model. One assumption of this model is "There are no arbitrage opportunities" which I read on to mean "in simple terms, a risk-free profit." Since this entire topic revolves around risks of some sort, defining risk in this context is up for debate, but it seems like a player in the market could opperate with 'no' risk if they choose. It also assumes "All securities are perfectly divisible (i.e. it is possible to buy any fraction of a share)" which doesn't seem to fit with the idea of selling a vulnerability, unless you break it down to "description" versus "proof of concept" versus "functional exploit" versus "wormified exploit"? : exploitability index to determine the premium on the future contract ? : Hedgers (companies, govermantal institutions, military etc.) could than : purchase these contracts from speculators (these could be us) to tie : their risk into a dollar amount. On the other hand researchers can sell : these contracts if they feel strongly about a software or inversely, buy On a very simple level, this could be achieved with a simple market auction system, akin to wslabi [1]. Rather than trade in developed exploits, players could post a wish-list and exploit writers could cherry pick ones of interest. Actually, less like wslabi, more like RentACoder [2]. : these contracts to cash in their 0day when it hits the public domain. We : need a fair market place for 0day (outside of the 2 known players whose : model benefits no one) and I believe futures market model is the way to There are more than 2 known players first off. I assume based on public perception and reputation you refer to iDefense and ZDI/TP? If so there are other buyers out there that use different models for 'purchase' including Digital Armaments [3] and their point based system that lets you buy/trade for other 0-days (more a vuln sharing club, and shady to some), wslabi.com and the vulnerability auction house as well as others that don't advertise, but certainly aren't totally secret. : go. After all if you can hedge your exposure to weather, why can't you : hedge it against 0day ? It is not as crazy as it sounds .... Absolutely not. But it seems like there are just as many variables, if not more, than many other well established markets. So not only do you have variables, you have the immaturity of the market to overcome in establishing all of this. : I would appreciate ideas to tie the value of a vulnerability to a premium, any : quants who do security as well ? I'd recommend you pose these questions to the Security Metrics list. [4] jericho [1] http://wslabi.com/wabisabilabi/home.do? [2] http://www.rentacoder.com/RentACoder/DotNet/default.aspx [3] http://digitalarmaments.com/ [4] http://www.securitymetrics.org/content/Wiki.jsp?page=MailingList _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Faster, smashter. (fwd) sinan . eren (Dec 09)
- Re: Faster, smashter. (fwd) security curmudgeon (Dec 09)
- Re: Faster, smashter. (fwd) BEES INC (Dec 10)
- Re: Faster, smashter. (fwd) Jon Passki (Dec 10)
- Re: Faster, smashter. (fwd) BEES INC (Dec 11)
- Re: Faster, smashter. (fwd) Jon Passki (Dec 11)
- Robert Seacord on the CERT C Secure Coding Standard Robert Seacord (Dec 16)
- Message not available
- Re: Robert Seacord on the CERT C Secure Coding Standard Robert Seacord (Dec 17)
- Re: Faster, smashter. (fwd) Jon Passki (Dec 10)
- Re: Faster, smashter. (fwd) Matthew Wollenweber (Dec 11)