Throwing cash at zero-days won't solve the problem: researchers

Governments and businesses can’t curb the threat of zero-day vulnerabilities by throwing money at the problem alone, researchers from MIT and Harvard along with infosec firm HackerOne have found.

In a blog post titled 'The Wolves of Vuln Street' published today ahead of talks at the RSA Conference next week, HackerOne chief policy officer Katie Moussouris and Dr Michael Siegel of MIT's Sloan School presented their study into he economics of the marketplace for zero-day vulnerabilities in software.

A zero-day vulnerability refers to a security hole in a product that its vendor is unaware of, meaning no patch is available.

Moussouris and Siegel undertook a study into the economic forces of the zero-day market and came up with a model for how the market behaves.

They found that it was not solely motivated by price alone, with many other factors tipping the scales between 'offense' (the black market) and 'defense' (technology vendors).

"Not all hackers are primarily motivated by money. Even those who sell to governments, often do so selectively, intentionally choosing sides, even if the “other side” might pay them more money," they wrote.

Bug bounties have become more popular and effective, but just as the stakes and cash have risen for white-hat hackers, so too has the opportunity to sell to the black market, the researchers found.

However, some vulnerabilities will never be sold at a price that technology companies can afford, they wrote.

"The offense buyers [such as governments who purchase vulnerabilities for state-sponsored attacks, surveillance or use in law enforcement] are in a position to outspend the defense buyers, so how do defenders hope to gain any advantage in this market?" they wrote.

"For defenders, there is a logical price ceiling for vulnerabilities, above which only offense-use buyers can go."

Moussouris and Siegel - along with a number of others from MIT and Harvard - sought to uncover the most efficient way for technology companies to reduce the amount of zero-day vulnerabilities if price alone would not work to gain an edge over the black market.

What can the industry do?

Moussouris said the key to getting technology vendors ahead was not only finding and fixing as many bugs as possible, but also specifically to find and fix those in use by attackers, referencing Google's zero-day hunting program Project Zero as an example.

The researchers said creating incentives for automated tools and techniques supporting vulnerability discovery could prove to be a more efficient way for technology companies to "drain the offense stockpile of zero day vulnerabilities". 

"Defenders can more quickly drain the offense stockpile of vulnerabilities when they have access to better tools and techniques for vulnerability discovery," they found.

"More mature vendors should consider augmenting their standard bug bounty programs to include special incentives for tools and techniques that help them find vulnerabilities more efficiently."

Individual technology companies should first invest in their own security development lifecycle, then look to offer individual bug bounties to catch any vulnerabilities they missed, the researchers said.

"It’s also a way to find great defenders with the hacker mindset to hire," Moussouris wrote.

"[More mature tech vendors] should try creating incentives for tools and techniques in addition to any individual bug bounty to specifically increase the rate at which they can find the same bugs as the offense side has stockpiled."

For those in government tasked with the tricky position of defending against zero-day attacks while similarly exploiting the vulnerabilities for offensive purposes, the researchers said the focus needed to be broadened.

"[For policy makers] who currently debate whether or not to disclose a specific vulnerability to the vendor to get it fixed to protect national security, or add it to their own offensive stockpile to use against domestic targets or other nations, this is an important question, but not the most pressing question," Moussouris wrote.

"The conversation should broaden to include in this debate the idea of making tools and techniques available to defenders."

Many offense-oriented hackers who sell to governments say they don’t use tools for most of their vulnerability discovery, she said.

"This is simply because they are that skilled. For defenders of varying skill levels to scale, tools are the most efficient way to try to catch up. Governments playing roles in both defense and offense should also try to help defenders gain access to better tools for vulnerability discovery."

The "tug of war" between attackers and defenders will always exist - the question is how the industry can structure incentives towards making defense more appealing and offense more expensive, Moussouris said.

"There are more levers to tip the scales from one side to the other than just money, and defenders need to begin to use them."

HackerOne is among a consortium of organisations which support the not-for-profit Internet Bug Bounty, aimed at improving critical internet infrastructure.

The program will now be expanded to include a bounty for tools and techniques that aid in vulnerability discovery and determining exploitability, the company announced today.

"We’d like to encourage hackers to make these tools available to the world, so that defenders can scale their efforts more efficiently," Moussoris wrote in her post.

"If you’d like to nominate a tool or technique for a bounty under this program expansion, please include a publicly-available link to the tool and write-up, preferably pointing to resolved bugs found using this tool or technique. "