A zero-sum game: the zero-day market in 2018

ABSTRACT

The most recent overview of white and grey markets in the zero-day trade was published in 2015 and much new evidence has since emerged. By examining data from bug bounty platforms, newly published pricelists and Russian language reporting, I aim to produce an updated picture of prices, market dynamics and policy implications. Analysis of the white market indicates that generally higher supply and demand is increasing prices, as more zero-days are found and organisations become more aware of the costs of breaches. Nevertheless, factors other than supply and demand shape the market, crucially the impetus among researchers to work for non-monetary rewards. Prices in the grey market also seem to be increasing, with comparisons of public price lists showing that zero-days affecting mobile operating systems, particularly iOS, were most valuable. Furthermore, recent evidence implies the existence of a grey market in Russia which is analysed below. Finally, this paper proposes three policy recommendations to mitigate the risk from zero-days, particularly as the Internet of Things comes to fruition. Secure software development, improving vulnerability disclosure legislation and establishing mechanisms for governments to decide what to do with the zero-days they find are all vital to reducing the current threat.

KEYWORDS:

• Zero-day
• exploit
• software vulnerability
• white market
• grey market

Disclosure statement

No potential conflict of interest was reported by the author.

Notes on contributor

Joss Meakins is a graduate of Cambridge and Columbia Universities. His research interests include cyber deterrence and Russian security policy. He has previously been published in the International Journal of Intelligence and Counterintelligence, as well as RUSI Defence Systems. He has spent time at RUSI and the European Leadership Network where he authored a report on Russia’s approach to cyber deterrence.