Scheduled System Maintenance:
On May 6th, single article purchases and IEEE account management will be unavailable from 8:00 AM - 12:00 PM ET (12:00 - 16:00 UTC). We apologize for the inconvenience.
By Topic

Vulnerability Bazaar

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

1 Author(s)
McKinney, D. ; Symantec, Cupertino

A pure vulnerability market is one in which each discrete vulnerability is a unit of trade with a price assigned to it by the buyer, seller, and demand. In such a market, exclusivity of knowledge is a key factor in overall value, thus when a vulnerability becomes public knowledge, it loses its value. Other factors also come into play, such as the affected product's popularity, the vulnerability's security impact, and the exploit's ease and efficacy. Vulnerabilities in this market retain their peak value when very few people know about them; value decreases through events such as vendor notification, information leaks, independent rediscovery, or accidental discovery of the vulnerability due to attack activity in the wild. Because it's difficult to certify and appraise information exclusivity, many buyers contractually obligate vulnerability reporters to exclusivity agreements to ensure that their information is exclusive to the best of their knowledge. Very few buyers are interested in nonexclusive information.

Published in:

Security & Privacy, IEEE  (Volume:5 ,  Issue: 6 )