Published by The Lawfare Institute
in Cooperation With
A couple of years ago, a hacker known as “BuggiCorp” put an incredibly powerful zero-day exploit up for sale on the Russian underground forum called exploit.in. Zero-days are exploits that expose a software vulnerability previously unknown and, thus, can be especially powerful for groups or individuals seeking to gain or escalate access to computer systems. According to BuggiCorp, the exploited vulnerability on sale “could affect almost all Windows machines on the planet.” BuggiCorp was, in other words, offering the keys to the hacker kingdom.
This is not the first time that these powerful exploits have been publicly advertised. The market for zero-days is said to be flourishing, global and ever-present. They are “the blood diamonds of the security trade,” Nicole Perlroth writes, “pursued by nation-states, defense contractors, and cybercriminals on one side, and security defenders on the other.” According to David Sanger, “many firms from the outskirts of Fort Meade to Silicon Valley … hunt for—or surreptitiously purchase—‘zero-day’ flaws.”
In 2013, the National Security Agency had a budget of more than $25 million to purchase zero-days, in an internal budget document referred to as “covert purchases of software vulnerabilities.” The allegedly stolen documents purported to originate from the CIA in the Vault 7 leaks revealed that of the 14 exploits for Apple’s iOS owned by the agency at the time, four were purchased.
But the burgeoning market is far from efficient. To put it bluntly, the zero-day market is extremely prone to market failure. There are great information asymmetries between the sellers and buyers on the market, and it is often hard to reveal the quality of the exploit before sale. This frequently impedes sales. Also, to have as much information and control as possible over the sold exploit, buyers are much more likely to buy local and go to only a select group of sellers than is often realized.
Market for Lemons
George Akerlof won the Nobel Prize for his research showing how information asymmetries can lead to adverse selection in markets. When car buyers have imperfect information—not knowing as much about a car’s quirks and problems as the seller who has owned the car for a while—sellers of low-quality cars (“lemons”) can crowd out everyone else from their side of the market, stifling mutually advantageous transactions. If the buyer is unable to tell the difference between a good car and a lemon, she is unwilling to pay top-tier prices. This means the price is bound to be lower than what sellers of high-quality cars would be willing to sell for, driving them out of the market.
The zero-day exploit market is a market with extreme information asymmetries. The seller has much more information about whether the exploit is actually working. The market is also flooded with lemons. Many of the exploits offered are a lot less reliable than sellers initially report. Also, the buyer of an exploit is not always able to test the exploit before purchasing it, as the economic value would be lost once given to the buyer for “testing.” This structural setup makes even beneficial zero-day transactions difficult.
Michael Spence shared the Nobel Prize with Akerlof for his explanation that agents can use signaling to counteract the effects of the “lemon market” situation, otherwise known as “adverse selection.” In this asymmetric information context, signaling refers to observable actions taken by actors to convince the other party of the value of their products or services. A key insight developed by Spence is that signaling can succeed only if the signaling cost differs across “senders.”
As an example, Spence supposes there are two types of workers, both looking for a job. One worker has a higher productivity than the other. The problem is that the employer cannot distinguish between two workers and will thus offer the average wage (like the market for used cars). The more productive worker, however, can do something to stand out. She can, for example, get an academic degree to signal her competence. But what would stop the less productive candidate from also acquiring the same education? Spence notes that the cost of getting a degree must be higher for the less productive worker for the signal to be believable. This might be the case, for instance, if the less productive worker takes much longer to finish his education. He would then find it unprofitable to get a degree just to convince the hiring firm that he is more capable than he really is.
This is a behavior that occurs on the exploit sale market.
For example, BuggiCorp included two videos to prove that the exploit it was selling worked. In an attempt to sell the supposedly powerful exploit, BuggiCorp also asked for the deal to go through the administrator of the website as the escrow. This means the website administrator acts as a third party and transfers the money to BuggiCorp only if the buyer is satisfied with the product.
Yet the fact that the seller lowered the price from $95,000 to $90,000 after the exploit had been advertised for an extended period of time suggests that signaling was insufficient to convince other parties to buy the exploit. In fact, the price tag of $95,000 is already low for a reliable exploit that could affect all versions of Microsoft Windows.
Under the principle of Coordinated Vulnerability Disclosure (CVD), researchers often have the option to disclose newly discovered vulnerabilities to the vendors or other coordinator (instead of selling it to an entity that wants to use the exploit for hacking purposes). Through the CVD, Microsoft has paid out $13.6 million in bounty rewards between July 2020 and June 2021 to 341 researchers. As Krebs on Security also points out, Microsoft heavily restricts which vulnerabilities qualify for a bug bounty, “but the reward for a vulnerability which can fully bypass EMET is $100,000. That’s $10,000 more than BuggiCorp is asking for his zero-day.” In other words, if BuggiCorp’s exploit was truly working, why try to sell it on this website and not go directly to Microsoft?
More Select, Local Sellers
The information asymmetry in the market for zero-day exploits makes trust a crucial dimension of exploit sales and regionalizes the market.
First, governments will tend to buy, if they do at all, from a highly select group of preferred sellers. The U.S. government, for example, tends to buy its exploits from major U.S.-based defense contractors.
The other option is to work with a reliable exploit broker or platform. An exploit broker first acquires original and previously unreported zero-day research from developers, also known as bug hunters. They then sell it to their customers. Buying exploits through a broker reduces the number of parties a government organization has to engage with, allowing them to more easily vet the selling party and develop a long-term business relationship.
Second, these sellers are normally based within a government’s legal jurisdiction. Buying from sellers in the same legal jurisdiction also makes it easier to screen sellers (especially if they have a government background) and thus helps to overcome some of the information asymmetries. It also allows the buyer and the seller to communicate in their native language and provides opportunities to potentially sanction the seller in case of a fraudulent deal. There is little a government can do if it buys an unreliable exploit of an unknown entity in a faraway country.
The [offensive cyber capabilities] marketplace is largely oriented along the broad geopolitical lines we see anyhow. Some groups deliver into China and Russia, some deliver into Middle Eastern and North African autocratic systems, some deliver only to NATO or NATO-friendly countries. However, the marketplace is unstable and unreliable. Contrary to common belief, nations are not hoarding vulnerabilities. On the contrary. Selling exploits is still difficult and frustrating, which in turn leads to violations and fluctuation of talent and loyalties.
Indeed, the market is more regional than often appreciated.
The zero-day market suffers from other complications. Not least, delivery time and availability often impede sales. The exploit market is largely a buyer’s market. A buyer’s market happens when the purchaser has advantage over sellers in price negotiations. In this market, the primary advantage stems less from the relatively small number of buyers on the market (unlike, for example, the housing market) and more from the superior knowledge buyers have over the requirements.
To understand why this is the case, one needs to consider the timing of exploit sales. If an exploit is relevant to a current need, the exploit is worth more money. Yet that knowledge is almost completely internal to the buyer. Only the buyer knows its own mission needs, who it is seeking to target and when.
But buyers cannot easily advertise those needs. A buyer is going to reveal little information to an exploit broker about its planned cyber endeavors. For example, the U.S. Cyber Command is not going to announce, “We have an operation coming up that will need a certain Safari browser capability, partially with Farsi language support.” This is sensitive information that a government, or other buyer, is not keen to share.
As a consequence, this makes it a lot harder for developers outside the government to supply to current needs. Yet current needs are the main reason for sales. A buyer is not going to buy an exploit just to add it to its collection of exploits. One buys only if there is a need for use.
An Efficient Market?
Pretending that the zero-day market is efficient is part of sellers’ strategy. Yet the reality is that the market is more regional and less efficient than is often realized. States may hack global, but they prefer to buy local.
Editor's Note: This post is adopted from "No Shortcuts: Why States Struggle to Develop a Military Cyber-Force."