A PRELIMINARY MODEL OF THE VULNERABILITY BLACK MARKET

摘要

This model only shows unintended consequences of a policy intending to mitigate the software vulnerability problem. Our system dynamic approach shows that there are some loops that counteract the effects of the intended policy. Zero-day exploits, rush patch cycle as well as supply and demand on vulnerabilities are further unintended effects of the disclosure policy. The later problem involves the emergence of the vulnerability black market. This market permits 'sellers' (hackers) and buyers (criminals/terrorist groups) to trade the secret vulnerability information.This model also confirms that the vulnerability black market may not grow so fast or might even be contained if the legal system effectively can create a situation where hackers will have higher risk of conducting cyber crime.This model needs to be supported by more empirical evidence and data. Further validation is also required until we reach a fully validated system dynamics model of the vulnerability black market problem. For the next step of this research, we intend to implements following steps: We intend to gather extensive data for our case as well as to validate further the structure and the behavior of the model. And we will build further the model (in progress-current model described in this paper).We also want to explore some policy levers relevant for our case. Given the enormous unintended impacts of the full disclosure policy, the idea of "responsible disclosure" develops lately. We could consider this idea as a part of the policy extension for this research. Responsible disclosure is reporting vulnerability directly to the vendor and allowing sufficient time to produce an update, benefits the users and everyone else in the security system by providing the highest quality security update possible. Vendors are given an appropriate amount of time to investigate a security report, reproduce it against all supported platforms, analyze it for variations and similar vulnerabilities in surrounding code and test the resulting update to ensure an appropriate level of quality for mass distribution. Responsible disclosure is considered doesn't increase risk or introducing additional risk as full disclosure can.In addition we plan to simulate some policies that are pertinent to the software quality improvement and the vulnerability black market issue. Various authors have mentioned the following policies as solutions to overcome the software vulnerability problems: to raise the users' awareness about the quality of the software products (Minasi 2000); to strengthen the legal measurements for anyone who commits cyber-crime (Grannick 2004); to open the market by creating competition among hackers and by providing monetary rewards to discover vulnerabilities can serve to improve the software quality (Bohme 2005, 2006; Schechter 2002; Ozment 2004; Camp and Wolfram 2004). Schechter (2002) for example, proposes that vendors/security firms create a vulnerability market in order to ascertain the cost to break of their system. Schechter's main proposal is to offer an economic approach where a producer would offer rewards at the market price to the first testers (persons or organizations who identify vulnerabilities in return for payment) who inform the producers of new vulnerability in their product. The market price is governed by the competition among those testers. Andy Ozment (2004) formulated the vulnerability market as a bug auction theory based on the "Dutch auction" template that has a key advantage: a reward is always offered, ensuring what vulnerabilities are reported immediately if they are being traded on the black market.Further steps are to compare some policy runs and to find the best policy to contain the black market and to increase the software quality issue. And finally, we will perform the policy analysis to reach the final conclusion of this problem. At this point, we feel confident that an effective model will provide valuable insights and lessons to