In recent years, there have been a seemingly endless string of massive data breaches in both the private and public sectors, resulting in the theft of vast amounts of private data.¹ Whether the breach target is a major company like Sony,² Anthem,³ or Ashley Madison,⁴ or a government agency like the Office of Personnel Management,⁵ the IRS,⁶ or the Joint Chiefs of Staff,⁷ such breaches are very often made possible by a software vulnerability—a “bug” in the system—that was unknown or left unaddressed by the target or its software vendor. Although some high-profile hacks involve previously unknown or...

Vulnerabilities are weaknesses in software that enable an attacker to compromise the integrity, availability, or confidentiality of the software, putting users and networks at risk.¹⁵ Much of cybersecurity can be reduced to a constant race between the software developers and security experts trying to discover and patch vulnerabilities, and the attackers—criminals, states, hacktivists, or others—seeking to uncover and exploit those vulnerabilities. Attackers can use vulnerabilities to force critical programs to crash, to compel monitoring utilities to report and act on incorrect information, to extract authentication credentials and personal information from databases, or even to infiltrate and take operational...

In the early days of the internet, security was considered to be a mostly theoretical problem and wasn’t a top priority for software vendors—until the Morris Worm of 1998.²⁸ Coded by a grad student motivated more by curiosity than malice, this early example of malware was the first to have such a widespread impact—it infected 10 percent of all internet-connected computers at the time—that it made national news and resulted in the first conviction under the Computer Fraud and Abuse Act of 1986.²⁹

In the intervening decades, the computer security community and industry has exploded. Today, there...

Exploits are small software programs written to take advantage of a vulnerability. While exploits are necessary to build malware, they are not malware in and of themselves. When security researchers find a vulnerability, for instance, they may write a “proof-of-concept” exploit to demonstrate that the flaw exists so that it can be patched. For the malicious hacker, however, an exploit can serve as the means to deploy malware.

Anything that can hold or transmit data can be used to propagate malware. For example, an attacker could use an email attachment, compromised website, or USB memory stick to distribute malware. Or...

To disclose a vulnerability is to share information about its existence or exploitation with another actor. Since vulnerabilities allow systems to be manipulated by third parties, they expose software users to security risks, and often quite serious ones. For this reason, there is pressure on those who discover vulnerabilities to disclose them in ways that will get them patched quickly while minimizing exposure of the vulns to those who might exploit them before they are patched. Not everyone who finds a vulnerability has the same interests, and not everyone agrees on the most responsible way to handle vulnerability disclosure, but...

When the company or group that is responsible for securing a piece of software learns about a vulnerability, that vuln is no longer a “zero-day,” a vulnerability that has just been discovered and therefore theoretically has had zero days to be patched. Once that vendor knows about the vulnerability, it hopefully will work to eliminate it by patching the software with fixes or work-arounds that negate the threat.⁶⁵ However, vendors are more likely to prioritize the patching of newer “flagship” products than older ones, and older systems that are still in use but rarely patched or updated are an ongoing...

As we’ve already described, the question of whether and how to disclose a given vulnerability to the appropriate vendor is already a complex one. Making the calculus even more complicated is another, even more personal factor: legal risk. In some cases, laws aimed at stopping malicious hacking and digital copyright infringement have had the unintended consequence of chilling legitimate security research.⁷⁵ In particular, laws like the Computer Fraud and Abuse Act⁷⁶ and the Digital Millennium Copyright Act,⁷⁷ though designed to meet the challenges of the digital age, have been used to bring civil or criminal charges against legitimate researchers or...

Vulnerabilities are bought and sold, rented and traded, just like any other commodity—sometimes between companies with legal contracts and sometimes between anonymous hackers through internet forums. The market is a key component of the vulnerabilities ecosystem, and is comprised of a variety of different players that all interact and affect the broader picture. Mapping this ecosystem helps us to understand the incentives that drive discoverers either to disclose vulnerabilities to the vendor to be patched, or to sell them to the highest bidder. So who buys, and who sells vulnerabilities?

Earlier in the paper we discussed the four categories...

When governments purchase vulnerabilities on the market they have the same three options for disclosure as independent researchers: nondisclosure, full disclosure, and partial disclosure. However, their set of interests is very different from those of independent researchers. Security researchers or academics might seek the credibility or notoriety that could come from full disclosure; or they may want compensation or professional recognition through legal bug bounties or other vulnerability rewards programs; or they may want the bigger financial rewards of the black or gray market. Governments are not seeking any of these things.

Governments have a set of unique incentives to...

Now that we know what vulnerabilities and exploits are, who buys and who sells them, what types of laws can chill researchers and what kind of vulnerability reward programs can motivate them, it’s worth asking the natural next question: what policies might better ensure that more vulnerabilities are discovered, disclosed, and patched faster? How can we better align incentives to ensure that more researchers are sharing the vulnerabilities they find with the people who can fix them, rather than selling them to those who want to exploit them?

There are a number of opportunities that policymakers have to influence the...