Malicious actors too often have an early monopoly on zero day attacks, able to exploit vulnerabilities before defenders know there’s a problem.
A new marketplace aims to break this cycle and rapidly get zero day vulnerability information directly to defenders while rewarding researchers. It’s an evolution from bug bounty schemes, but with the researcher rather than the software vendor in the driving seat —and without any vendor instigated delays.
Desired Effect provides an ethical vulnerability exchange marketplace. Its purpose is to help defenders get ahead of attackers, and to provide greater recognition and compensation for the vulnerability researchers upon whom much of the cybersecurity market depends.
It provides rapid access to newly discovered vulnerabilities, effectively disrupting the delays introduced by responsible disclosure (a period in which a zero day exists and may be exploited by a malicious actor but is unknown to the user). But this is a benefit rather than the purpose of the Desired Effect Marketplace.
“Short circuiting responsible disclosure is not an important function of the marketplace,” says founder and CEO Evan Dornbush. “However, putting sellers in the driver’s seat is the purpose. Unlike existing programs where buyers dictate the terms, Desired Effect provides the vulnerability research community with a more equitable seat at the table.”
On one side of the table are the researchers (the sellers). On the other side are organizations concerned with maintaining the security of their systems (the buyers). Desired Effect provides an area where organizations and independent researchers can legitimately and legally transact for zero day exploits
The nascent marketplace already exists. Dornbush, who has been a bug broker for 20 years already knows both the sellers and the buyers. “Today we’re sitting on 60 different zero days, ranging from privilege escalation to baseband exploits. And within our partnership program we have industries including a mid-size regional bank, one of the big four accounting firms, an energy utility, and a cryptocurrency exchange.”
So far, researchers joining the marketplace have been by invitation only. This will change as the marketplace evolves. Given more control over what happens with their research, Dornbush believes researchers will first be attracted to sell their discoveries ethically. This will not prevent occasional second selling on the dark web, but he is not overly worried about this — that’s the way the software market works. You don’t buy exclusive rights; you buy a license to use.
“For attackers,” he says, “it’s fruit on a stand — and fruit goes bad. With the Desired Effect Marketplace, here’s now a built-in expiration date that will become baked into their calculus. That alone disrupts the current easy flow of a malicious zero day supply chain.” For defenders, it doesn’t matter if the attackers also get the information so long as they get it first.
The Marketplace also provides a route for individual defenders to outbid the notoriously deep pockets of organized criminal gangs. Let’s say that many hospitals use a particular version of an infusion pump. Rather than a single hospital trying to outbid the criminals, a community of hospitals can come together to offer a single, realistic but individually manageable sum. Crowdsourcing bids on widely used critical systems would provide serious revenue to the researchers with greater speed, greater recognition, and less hassle than disclosing it to a security vendor.
“The value that we bring to the world is getting the information to the defensive community faster. Once it has that information, it’s incentivized to share it. It wants the word to get out, it wants the manufacturers to be able to patch, and for the regular defensive community to upgrade signatures and firewalls and everything else. Without us, that information is only going to the bad guys. With us, it may go to the bad guys, but it is certainly going to the good guys.”
Most of those ‘good guys’ (who are vetted by the marketplace) would probably never see the actual exploit. “They would buy the rights to it, and then say, ‘Evan, go to the vendor and get this taken care of — I don’t want to deal with any of that hassle.’ And we’d do that.”
The Desired Effect Marketplace intends to upend the status quo. “Without us, the way the defense community gets awareness of these zero days is always post breach, and by then it’s too late. A researcher finds a flaw and sells it to an attacker. The attacker weaponizes and uses it. Eventually, the attacker misfires and it makes its way across some kind of a sensor or a honey pot somewhere. Only then, the defensive community starts to say, ‘Hey, what is this? Let’s look at it. Oh, it’s bad. We should put out an advisory.”
Then the vulnerability makes its way onto all the threat feeds. But it’s already out there in the wild, and the attackers have scanned the internet and know where they can use it before it is patched. “We bypass all of that, and we say to the defense community, ‘You’ve told us your organization relies on Dell laptops, Canon printers, iPhones. Apache Struts and other software to keep your business functional. I’m telling you right now that although it’s not currently being exploited, there’s an exploitable vulnerability in one of those things.”
There’s a lot of interest in having the earliest possible warning. “We deliver disruptively superior intelligence feeds because we get closer to the source. We elicit and leverage cutting-edge research by providing a platform for researchers to ethically sell exploits to vetted buyers,” he adds.
“By offering an efficient, transparent marketplace, we normalize the buying and selling of zero day exploits, which has until now taken place in disparate and opaque markets at a disadvantage to everyone except the attackers.”
Related: Russian Ransomware Gang Exploited Windows Zero-Day Before Patch
Related: Threat Actor Allegedly Selling Fortinet Firewall Zero-Day Exploit
Related: FreeType Zero-Day Being Exploited in the Wild
Related: Newly Patched Windows Zero-Day Exploited for Two Years
