How the market for zero-day vulnerabilities works

Zero-days — bugs that are unknown to both vendors and users — are often weaponized by governments, criminals, and private arms dealers who sell to the highest bidders. The market for zero-days means that newly discovered bugs are liable to go unpatched until they are used in a high-profile cyberattack or independently discovered by researchers who'd rather keep their neighbors safe than make a profit.

The market for zero-days was created by a combination of corporate bullying and governmental desire for cyberweapons. Researchers who disclosed their findings to companies found themselves either ignored or worse, facing legal threats when they tried to publish their findings. Meanwhile, governments started to buy and warehouse zero-days that they could use to attack their adversaries, being largely indifferent to the possibility that their adversaries might use the same bugs to attack the citizens these governments were supposed to be defending.

With the international Wassenaar arms-limitation agreement being expanded to cover some cyberweapons, the debate over the buying and selling of zero days is heating up. The Ars Technica primer on the zero-day markets is a great backgrounder for the coming debates.

At the moment, Wassenaar doesn't regulate zero-days or exploits; rather, it regulates the technology that would be used to create or interact with them. Lobbying from Oracle, a long-time enemy of security research, and some other big companies is trying to change that. "I think Oracle has fallen into the same trap that I've seen with other organisations that invest a lot, internally, into securing software," said Moussouris. "They look at the number of vulnerabilities that they find internally, and then they look at the relatively small percentage that are reported from the outside—and they mistake that big disparity for a reason why they should continue as they always have, and discouraging reports from the outside.

"The truth of the matter, upon further analysis and drawing from my own experiences building vulnerability coordination and bug bounty programs at Microsoft, is that you'd see the same thing: Microsoft was incredibly good at finding its own bugs, and would find way more than outside researchers. But that was by design! That means Microsoft was doing its job by trying to secure its own software first, by building very specialised tools, hiring specialised people—and that's good and correct."

Even if Oracle and friends successfully lobby for the regulation of security research and disclosure, another thorny issue will present itself: How do you define a zero-day, anyway? A zero-day could be a vulnerability that's unknown to the vendor. Or it could be known to various parties other than the vendor. Or it could simply be a vulnerability for which there is currently no patch. At the same time, there are plenty of issues out there where the vendor knows about it, but for myriad reasons it hasn't provided a patch.

The first rule of zero-days is no one talks about zero-days (so we'll explain)
[Sebastian Anthony/Ars Technica]