Bugs in the Market: Creating a Legitimate, Transparent, and Vendor-Focused Market for Software Vulnerabilities

78 Pages Posted: 2 Mar 2016 Last revised: 4 Oct 2016

See all articles by Jay P. Kesan

Jay P. Kesan

University of Illinois College of Law

Carol Mullins Hayes

University of Washington - The Information School

Date Written: February 20, 2016


Ukraine, December 23, 2015. Hundreds of thousands of homes lost power. Call center communications were blocked. Authorities reported that 103 cities experienced a total blackout. The alleged cause? BlackEnergy malware. With so much of our daily lives reliant on computers, is modern civilization just a stream of ones and zeroes away from disaster?

Malware like BlackEnergy relies on uncorrected security flaws in computer systems. Sometimes, the system owner fails to install a patch. Other times, there is no patch because the software vendor either did not know about or did not correct a critical security flaw. Meanwhile, the victim country’s government or their allies may have knowledge of the same flaw, but they were keeping the information secret so that they could use it against enemy states.

There is an urgent need for a new legal and economic approach to cybersecurity that will curtail socially harmful behavior by security researchers and governments. Laws aimed at curbing cyberattacks typically focus on punishment, with little to no wiggle room provided for socially beneficial hacking behavior. Around the world, governments hoard zero day vulnerabilities while permitting software vendors to sue security researchers who plan to demonstrate critical security flaws at industry conferences. There is also a growing market for buying and selling security flaws, and the buyers do not always have society's best interests in mind.

This Article delves into the world of cybersecurity and software and provides an interdisciplinary analysis of the current crisis. We present an economic model to explore incentives for selling vulnerability information in different types of markets. We then propose and design a revolutionary market for vulnerabilities aimed at facilitating legitimate, transparent, and vendor-focused transactions of critical security information at a fair market price. Our proposal brings together insights from economics, security, and law, and we provide examples for how such a market would function. Our market design draws inspiration from around the world, from commodity futures markets in New York and Chicago to archaeological sites in Iraq. Cyber threats cannot be contained by traditional philosophies of war and weaponry. The literature in this area is very limited but growing, and we present our proposal as a practical and achievable approach that will support socially desirable cybersecurity practices.

Suggested Citation

Kesan, Jay P. and Hayes, Carol Mullins, Bugs in the Market: Creating a Legitimate, Transparent, and Vendor-Focused Market for Software Vulnerabilities (February 20, 2016). Arizona Law Review, Vol. 58, 2016, University of Illinois College of Law Legal Studies Research Paper No. 16-18, Available at SSRN: https://ssrn.com/abstract=2739894 or http://dx.doi.org/10.2139/ssrn.2739894

Jay P. Kesan

University of Illinois College of Law ( email )

504 E. Pennsylvania Avenue
Champaign, IL 61820
United States
217-333-7887 (Phone)
217-244-1478 (Fax)

HOME PAGE: http://www.jaykesan.com

Carol Mullins Hayes (Contact Author)

University of Washington - The Information School ( email )

Box 353350
Seattle, WA 98195
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics