Revenue Maximizing Markets for Zero-Day Exploits

  • Mingyu GuoEmail author
  • Hideaki Hata
  • Ali Babar
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9862)


Markets for zero-day exploits (software vulnerabilities unknown to the vendor) have a long history and a growing popularity. We study these markets from a revenue-maximizing mechanism design perspective. We first propose a theoretical model for zero-day exploits markets. In our model, one exploit is being sold to multiple buyers. There are two kinds of buyers, which we call the defenders and the offenders. The defenders are buyers who buy vulnerabilities in order to fix them (e.g., software vendors). The offenders, on the other hand, are buyers who intend to utilize the exploits (e.g., national security agencies and police). Our model is more than a single-item auction. First, an exploit is a piece of information, so one exploit can be sold to multiple buyers. Second, buyers have externalities. If one defender wins, then the exploit becomes worthless to the offenders. Third, if we disclose the details of the exploit to the buyers before the auction, then they may leave with the information without paying. On the other hand, if we do not disclose the details, then it is difficult for the buyers to come up with their private valuations. Considering the above, our proposed mechanism discloses the details of the exploit to all offenders before the auction. The offenders then pay to delay the exploit being disclosed to the defenders.


Revenue maximization Mechanism design Security economics Bug bounty 


  1. 1.
    Algarni, A.M., Malaiya, Y.K.: Software vulnerability markets: discoverers and buyers. Int. J. Comput. Electr. Autom. Control Inf. Eng. 8(3), 71–81 (2014)Google Scholar
  2. 2.
    Bilge, L., Dumitras, T.: Before we knew it: an empirical study of zero-day attacks in the real world. In: Proceedings of 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 833–844. ACM, New York (2012).
  3. 3.
    Brams, S.J., Jones, M.A., Klamler, C.: Better ways to cut a cake - revisited. In: Brams, S., Pruhs, K., Woeginger, G. (eds.) Fair Division. No. 07261 in Dagstuhl Seminar Proceedings, Internationales Begegnungs- und Forschungszentrum für Informatik (IBFI), Schloss Dagstuhl, Germany, Dagstuhl, Germany (2007)Google Scholar
  4. 4.
    Chen, Y., Lai, J., Parkes, D., Procaccia, A.: Truth, justice, and cake cutting. In: Proceedings of the National Conference on Artificial Intelligence (AAAI), Atlanta, GA, USA (2010)Google Scholar
  5. 5.
    Egelman, S., Herley, C., van Oorschot, P.C.: Markets for zero-day exploits: ethics and implications. In: Proceedings of 2013 Workshop on New Security Paradigms Workshop, NSPW 2013, pp. 41–46. ACM, NewYork (2013).
  6. 6.
    Fisher, D.: Vupen founder launches new zero-day acquisition firm zerodium, 24 July 2015.
  7. 7.
    Goemans, M., Skutella, M.: Cooperative facility location games. J. Algorithms 50, 194–214 (2004). Early version: SODA 2000, 76–85MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Greenberg, A.: Shopping for zero-days: a price list for hackers’ secret software exploits, 23 March 2012.
  9. 9.
    Guo, M., Conitzer, V.: Computationally feasible automated mechanism design: general approach and case studies. In: Proceedings of the National Conference on Artificial Intelligence (AAAI), Atlanta, GA, USA, pp. 1676–1679 (2010). Nectar TrackGoogle Scholar
  10. 10.
    Likhodedov, A., Sandholm, T.: Methods for boosting revenue in combinatorial auctions. In: Proceedings of the National Conference on Artificial Intelligence (AAAI), San Jose, CA, USA, pp. 232–237 (2004)Google Scholar
  11. 11.
    Likhodedov, A., Sandholm, T.: Approximating revenue-maximizing combinatorial auctions. In: Proceedings of the National Conference on Artificial Intelligence (AAAI), Pittsburgh, PA, USA (2005)Google Scholar
  12. 12.
    Myerson, R.: Optimal auction design. Math. Oper. Res. 6, 58–73 (1981)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Procaccia, A.D., Tennenholtz, M.: Approximate mechanism design without money. In: Proceedings of the ACM Conference on Electronic Commerce (EC), Stanford, CA, USA, pp. 177–186 (2009)Google Scholar
  14. 14.
    Projects, T.C.: Severity guidelines for security issues (2015). Accessed 15 Sept 2015

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.School of Computer ScienceUniversity of AdelaideAdelaideAustralia
  2. 2.Graduate School of Information ScienceNara Institute of Science TechnologyIkomaJapan

Personalised recommendations