Harnessing uncertainty in vulnerability market

Zhen Li, Qi Liao

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review


Zero-day vulnerabilities pose significant threats in computer and network security, and have attracted attentions in recent years not only to malicious attackers but government and law enforcement users who need to control (e.g., for forensics purpose) the computer systems which otherwise are inaccessible through traditional channels. Based on the observation that vulnerabilities are acquired and traded in a different way than commodities, we study and propose a vulnerability market model by taking into consideration cheating and uncertainty in the market. The paper illustrates the interactions between the vulnerability sellers and buyers in a game theoretic framework. By modeling the economic aspects of the vulnerability market with a focus on information asymmetry and distinctive incentives of malicious and defensive buyers, we propose active and strategic market participation by defenders to obtain vulnerability information from the marketplace in a cost-effective way. Rather than killing the market, defenders can take advantage of the incomplete information feature of the vulnerability market to improve cyber-security. To further maximize the uncertainty, defenders may also play in the supply side of the vulnerability market to provide low or no value vulnerabilities to dilute the market.

Original languageEnglish
Title of host publicationICCCN 2018 - 27th International Conference on Computer Communications and Networks
PublisherInstitute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)9781538651568
StatePublished - Oct 9 2018
Event27th International Conference on Computer Communications and Networks, ICCCN 2018 - Hangzhou City, Zhejiang Province, China
Duration: Jul 30 2018Aug 2 2018

Publication series

NameProceedings - International Conference on Computer Communications and Networks, ICCCN
ISSN (Print)1095-2055


Conference27th International Conference on Computer Communications and Networks, ICCCN 2018
CityHangzhou City, Zhejiang Province


  • Asymmetric Information
  • Computer Security
  • Economics
  • Game Theory
  • Uncertainty
  • Zero-day Vulnerability Market


Dive into the research topics of 'Harnessing uncertainty in vulnerability market'. Together they form a unique fingerprint.

Cite this