This module of the course on Cybercrime, Cyberespionage and Cyberconflicts examines the topic of software vulnerabilites, their associated exploits, and the role they play in the cyberarms industry. The module first provides some foundational definitions on how vulnerabilities are numbered (CVE) and scored (CVSS). It then discusses the notion of zero-day vulnerability and the white/gray/black industries that emerged around them -- notably vulnerability reward ("bug bounty") programs and clandestine markets. Some key ideas about the dynamics of zero-day vulnerabilities are discussed using a 2017 RAND report that analyzes the life statuses, longevity, collision rate, and costs of a dataset of 200 0-day exploits spanning 14 years. The module concludes with an overview of the ethical conundrums of vulnerability -- and computer security -- research.
Learning Outcomes
- Understand the information available in a CVE entry.
- Know the CVSS scoring rubrics and how to use them.
- Know the lifecycle and markets for zero-day vulnerabilities and associated exploits.
- Recognize and discuss the ethical challenges related to vulnerabilities and exploits due to their potential for harm.
- Vulnerabilities
- FIRST. Mastering CVSS v3.1.
- Zero-day Vulnerabilities
- No mandatory reading
- The Rise of an Industry
- No mandatory reading
- Analysis: The life of Zero-days and Their Exploits
- L. Ablon and A. Bogart. Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits. RAND Corporation, 9 March 2017.
- The Ethics of Vulnerability Research
- Bynum, Terrell, Computer and Information Ethics, The Stanford Encyclopedia of Philosophy (Summer 2018 Edition), Edward N. Zalta (ed.).
The slides used in class for this module are available here.
The list of questions for this module are available here.
- Vulnerability disclosure
- Zero-days
- D. Danchev. Black market for zero day vulnerabilities still thriving. ZDNet, 2 November 2008.
- Andy Greenberg. Meet the hackers who sell spies the tools to crack your PC (and get paid six-figure fees). Forbes, 21 March 2012.
- Andy Greenberg. Shopping For Zero-Days: A Price List For Hackers' Secret Software Exploits. Forbes, 23 March 2012.
- Sebastian Anthohy. The first rule of zero-days is no one talks about zero-days (so we’ll explain). Ars Technica, 20 October 2015.
- Andy Greenberg. The Shadow Brokers Mess Is What Happens When the NSA Hoards Zero-Days. 17 August 2016.
- Project Zero. A very deep dive into iOS Exploit chains found in the wild . August 29, 2019.
- Risky Business. Risky Biz Feature Interview: Mark Dowd on the 0day market and future of exceptional access. Oct 19, 2021.
- Mark Dowd. Inside The Zero Day Market. BlueHat IL, 2024.
- Clement Lecigne. State-backed attackers and commercial surveillance vendors repeatedly use the same exploits. Google Threat Analysis Group. Aug 29, 2024.
- Ethics and disclosure
- Michael Daniel. Heartbleed: Understanding When We Disclose Cyber Vulnerabilities. The White House, 28 April 2014.
- Bruce Schneier. Should U.S. Hackers Fix Cybersecurity Holes or Exploit Them?. The Atlantic, 19 May 2014.
- Bruce Schneier. Who Are the Shadow Brokers?. The Atlantic, 23 May 2017.
- Alex Hoffman. Moral Hazards in Cyber Vulnerability Markets. Computer, December 2019.
- Halvar Flake. Rashomon of disclosure. August 17, 2019.
- Ivan Kwiatkowski. We need to talk - opening a discussion about ethics in infosec. Virus Bulletin 2019.
- T. Kohno, Y. Acar, W. Loh. Ethical Frameworks and Computer Security Trolley Problems: Foundations for Conversations. 32nd USENIX Security Symposium, August 2023.
- China's Regulations on the Management of Network Product Security Vulnerabilities (RMSV)
- S. Scott, S.A. Brackett, Y. Gambrill, E. Nettles, T. Herr. Dragon tails: Preserving international cybersecurity research . September 14, 2022.
- Legal issues
- EFF. Coders’ Rights Project Vulnerability Reporting FAQ.
- EFF. Van Buren v. United States. June 2021.