By many accounts, however, bug-selling remains a relatively exclusive arena, meaning it shouldn't be tough to regulate. Furthermore, that's unlikely to change, as it's difficult to turn zero-day millionaire, given fierce competition from other bug hunters, as well as the risk that a vendor might already have discovered a zero-day vulnerability, and have a fix in development.
Still, the price paid for some vulnerabilities suggests that ethically speaking, sellers might be up to no good. As Microsoft threat analyst Terri Forslof has said, "If I'm paying $50,000 for a vulnerability, what am I doing with it? I'm likely not trying to get it patched."
Vulnerabilities are hot in part because they can be weaponized and put to work quite quickly. "It doesn't take much time at all to commoditize a vulnerability into an exploit," said Sean Sullivan, security advisor at F-Secure Labs, in a blog post. For example, he found that the Adobe Flash Player security update (CVE-2012-1535) released Aug. 14, 2012, was followed the very next day by the appearance of in-the-wild attacks that used Microsoft Office Word documents with embedded exploits of the Flash vulnerability. Interestingly, one of the decoy Word documents that employed the Flash exploit was apparently targeting people interested in atomic weapons programs. And by Aug. 17, the exploit was part of the open-source Metasploit vulnerability testing toolkit.
Given the shift from bug bounties to vulnerabilities being used to power digital espionage or offensive operations, why not regulate the sale of dangerous bugs? Of course, new government regulations aren't the solution to every problem. But most governments do regulate the sales of arms so average Joes can't buy rocket launchers or fighter attack jets, unless, of course, they are Larry Ellison. Furthermore, because "cyber warfare" is meant to be the new military frontier, there's no reason not to regulate the buying and selling of zero-day vulnerabilities, at least to ensure they're not being used for nefarious purposes.
Currently, there are no laws against the buying or selling of bugs. "It's important to realize that, however much of an unpleasant taste this might or might not leave in your mouth, none of these people are acting illegally," says Graham Cluley, senior technology consultant at Sophos, in a blog post. "They've worked hard, using their skills to discover vulnerabilities in software systems. They are not exploiting these security holes themselves, and they aren't breaking the law."
What vexes many security experts is that the details of the bug remain hidden to all but the buyer, thus potentially putting everyone else at risk. Furthermore, what if an unscrupulous third party or foreign government gets its hands on the zero-day and begins using it to attack American businesses or government systems?
According to Soghoian, vulnerability sellers argue that the buying and selling of vulnerabilities should be left to free-market forces. But as he said in his keynote, once other governments begin snapping up zero-days and using them to attack the United States, the U.S. government might suddenly find itself arguing for regulating bug sales on the grounds of self defense. For consumers and businesses that rely on PCs and who don't want to find themselves at the receiving end of an undetectable, zero-day-driven targeted attack, that would be welcome news.
Cybercriminals are taking aim at your website. Is your security strategy up to the challenge? Also in the new, all-digital 10 Steps To E-Commerce Security issue of Dark Reading: About half of the traffic to e-commerce sites is machine generated--and much of it is malicious. (Free registration required.)
