Software Security and the Laws of Supply and Demand

by paco on Wednesday, December 5, 2012

SearchSecurity published an article suggesting that software development maturity is driving down the submission rate at one particular bug bounty program, ZDI. This looks like classical economics at work in software security.

Bug bounty programs sit at the heart of the equation, representing the value that business places on good software, whereas the black market’s price for a 0-day represents a criminal’s expected return on that vulnerability.

Theoretically, the price of a thing is subject to the pressures of supply and demand. Put simply, when supply exceeds demand, the price falls. When demand exceeds supply, the price rises. What we see in this article is twofold. Software is becoming more secure, which is restricting the supply side of critical defects. Software, taken as a big whole, is getting more secure because we known better and better what to do to make it secure. There are fewer bugs to be found, and the ones that exist take greater effort and skill to leverage.

The other side of this appears to be demand. ZDI is not the only place one can shop a zero day. There are legitimate bug bounty programs at various vendors (e.g., Google, Paypal) and then one can potentially hold out for a chance at a big payout at Pwn2Own (also sponsored by ZDI). If that fails, then one can shop the vulnerability on the black market where payouts are larger.

As the sale and distribution of stolen data becomes commercialised (e.g., as it gets easier and more certain that you can sell stolen data) the value of a vulnerability goes up for someone who is looking to exploit it illegally. That means the value they are willing to pay upstream to someone that provides an exploit can stabilise, too.

Our good work is creating scarcity in the market. This is driving up prices because the market is increasingly efficient. It will be interesting to see if this makes bug bounty programs unsustainable. If the bad guys can capitalise on insecure software more than the good guys can derive value from secure software, that is exactly what could happen.