Market Types

Software vulnerabilities give remote access to both stored information and information generated in real time. When a lot of people use the same software one specific vulnerability can be used against millions of people.

This is why hackers have become interested in such vulnerabilities. This has also opened up an ethical debate. Many countries have created public institutions to deal with cybercrime, but they will likely conflict with the interest of their own government to access people’s information in order to prevent crime.

In the end, economic interest always wins, and the vulnerability market thrives under three different directions.

• Direct Market: The Chrome Vulnerability Reward Program is a bug bounty program offered by Google. It provides cash rewards and public recognition to security researchers who invest time and effort to identify new vulnerabilities in Chrome and Chrome OS channels.

• Brokered market: Brokers deal directly with researchers, not with software companies. They validate discovered vulnerabilities and, based on their criticality, pay the discoverers. There are several completely legal sites that validate and pay for vulnerabilities discovered by cyber security researchers. This is a more lucrative type of marketplace than the direct one. It has become popular due to its ease of use, legality, and lucrative nature.

• Black market: This is an illegal market that lives on private or semi-private sites. Sellers offer their zero-days to potential buyers. If the buyers are interested in an exploit (the digital attack corresponding to the vulnerability), the negotiation is carried out by an intermediary whose task is to guarantee the interests of all the actors involved. This is the most profitable type of market, but also the riskiest. It also differentiates itself because instead of selling the identified vulnerability, hackers often sell access to the system directly, preserving the existence of the zero-day.

Do you have a Public Affairs & Comms challenge to tackle? Let’s face it. Together.

C-levels from these companies (AND MORE) relied on my expertise to overcome thEIR CHALLENGES IN THIS AREA. And You can, too.

Can I help you?

Public Affairs & Comms

From local to global

CASE STUDies

• Stuxnet
This is a virus based on the exploitation of four Windows zero-day vulnerabilities that attacked SCADA systems (related to monitoring and supervising physical systems) and in particular PLCs (Programmable Logic Controllers, computers for managing and controlling industrial processes) of the uranium enrichment plant in Natanz, Iran, sabotaging its nuclear efforts.

• Operation Aurora
In January 2010, a massive cyber-attack from China targeted several U.S. giants including Google, Juniper Networks, and Yahoo, using zero-day vulnerabilities in Internet Explorer and one in Perforce, the code revision software used by Google to manage its codebase. The goal was to steal their trade secrets.

• SecurID hack
In 2011, two-factor authentication titan RSA SecurID suffered an attack that led to the compromise of its network due to a malicious Excel file mistakenly opened by an employee. The breach cost EMC, RSA’s parent company, $66.3 million in investigations, costs to strengthen IT systems and monitor the transactions of more than 30,000 customers.