Markets for zero-day exploits: ethics and implications

Authors:
Serge Egelman;Cormac Herley;Paul C. van Oorschot
Affiliations:
University of California, Berkeley, Berkeley, CA, USA;Microsoft Research, Redmond, WA, USA;Carleton University, Ottawa, ON, Canada
Venue:
Proceedings of the 2013 workshop on New security paradigms workshop
Year:
2013

Citing 5
Cited 0

Computer security strength and risk: a quantitative approach

Computer security strength and risk: a quantitative approach
Is Finding Security Holes a Good Idea?

IEEE Security and Privacy
A comparison of market approaches to software vulnerability disclosure

ETRICS'06 Proceedings of the 2006 international conference on Emerging Trends in Information and Communication Security
Why computer talents become computer hackers

Communications of the ACM
An empirical study of vulnerability rewards programs

SEC'13 Proceedings of the 22nd USENIX conference on Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

A New Security Paradigms Workshop (2013) panel discussed the topic of ethical issues and implications related to markets for zero-day exploits, i.e., markets facilitating the sale of previously unknown details on how to exploit software vulnerabilities in target applications or systems. The related topic of vulnerability rewards programs ("bug bounties" offered by software vendors) was also discussed. This note provides selected background material submitted prior to the panel presentation, and summarizes discussion resulting from the input of both the panelists and NSPW participants.