SYNOPSIS

Due to society's increasing dependence on information and technology, and the impact privacy and security vulnerabilities now have on our everyday lives, the demand for and price of n-day and zero-day exploits has reached unprecedented levels. The supply side's inability to penetrate this emerging market impedes optimal stakeholder participation. The impediments include inadequate proof-of-value and pricing information for stakeholders wishing to conduct ROI analyses on exploits prior to sale or purchase.

In terms of price and value, a local privilege escalation exploit targeting a deprecated operating system is worth significantly less than a remote code execution exploit targeting a ubiquitous operating system. In terms of cost-benefit relative to time and effort, security researchers are less incentivized to pursue the discovery of vulnerabilities having a lower perceived value and more incentivized to pursue the discovery of vulnerabilities having a higher perceived value. Similarly, vendors are less incentivized to pursue the remediation of vulnerabilities having a lower perceived value and more incentivized to pursue the remediation of vulnerabilities having a higher perceived value.

Coordinated disclosure services like bug bounty platforms aim to remedy these misaligned incentives, but often fall short. Because of their desire to minimize costs and maximize revenue, software and hardware vendors are incentivized to assess a disclosed vulnerability's risk at a level lower than what a competitive market would. Often times, security researchers are subsequently rewarded a discounted bounty amount, or worse nothing at all, after having disclosed a vulnerability's details to a vendor.

Exacerbating an already dire situation, the primary stakeholders have diametrically opposing interests. Security researchers face constant legal retaliation for their good-faith intent of discovering and responsibly disclosing vulnerabilities; vendors face the looming threat of humiliation and damage to their reputation as a result of full disclosure practices.

PROBLEM

When combined, these factors create significant market distortions that subject everyone to discreet and unnecessary risks. The privacy and security of countries, corporations, organizations, and individuals alike remain unknowingly at risk because of the black market that has consequently materialized.

As a result, vulnerabilities and exploits remain accessible only to privy black market participants, such as criminal enterprises and state sponsored entities, which creates an increasingly hostile digital frontier for everyone. Vulnerabilities and exploits continue to remain undisclosed and software vendors not only lack the motivation, but also the situational awareness, to remediate them.

SOLUTION

Exploit Exchange disrupts these moral hazards. We correct the market distortions that have materialized by facilitating more effective and efficient market participation. Using a patent-pending behavioral incentive system, we align stakeholder interests, fostering a more accountable, rewarding, and collaborative disclosure process.

We accomplish this by incorporating game theory incentives into our exploit brokerage services. By reducing asymmetric information through transparent price discovery, and coupling that with financial rewards, strict privacy controls, and a secure channel of exchange, we afford stakeholders the high-level of confidence and assurance they desire when buying and selling premium n-day and zero-day security exploits.