Herb Lin on the Market for Zero-Day Vulnerabilities

The fundamental problem is that you WANT people finding zero-day vulnerabilities (ZDVs), but you want them selling what they know only to the people who should be having them.  So, speaking for myself and not for any institution with which I am or have been affiliated, I offer some thoughts on how this might be managed. I can imagine some kind of licensing scheme in which it becomes legal only to sell to properly “authorized” parties.  This, of course, requires legislation to make it illegal to sell ZDVs to unauthorized parties.  Here are three important questions:

• Who would be authorized to buy ZDVs?   Parties that develop software targeted by a given ZDV certainly have a legitimate interest in obtaining them.  Perhaps more controversial are law enforcement or national security agencies.

• How could this law be enforced?  There are two major problems with enforcement.  First, since most sales of ZDVs take place out of public view (much like sales of drugs or illegal guns), sting operations are probably the only way for law enforcement officials to know that an illegal sale is taking place.  Such sting operations would be complex, risky, and labor-intensive, and are likely to be controversial—but they may be the only way to introduce significant uncertainty into the ZDV market.  Second, because ZDV discovery is a world-wide operation, it is likely that any such law would have to be enforced extraterritorially. Although many national governments would have an interest in supporting such enforcement, not all do, and extraterritorial enforcement would be controversial as well.

• How effective might this law be?  It is unlikely that prosecutions under such a law could reduce trafficking in ZDVs to a very low level, simply because of the labor needed to conduct interdictions.   But if the penalties were structured in such a way that a few high-profile prosecutions could produce significant deterrent value, the likelihood for effective application might be higher.

There are hints of some of this in export control laws, which seek to limit the transfer of sensitive dual-use technology.  But ZDVs are in essence software, and the export control process has many difficulties in dealing with the export of dual-use software. I am sure there are other problems with the scheme I describe above, and in the end, I’m not sure I’m willing to defend it.  But perhaps these thoughts will stimulate smarter people to tackle the problem.