The Historical Relationship between the Software Vulnerability Lifecycle and Vulnerability Markets: Security and Economic Risks

Abstract

Vulnerability lifecycles and the vulnerability markets are related in a manner that can lead to serious security and economic risks, especially regarding black markets. In the current era, this is a relationship that requires careful scrutiny from society as a whole. Therefore, in this study, we analyzed the actual data relating to vulnerability-regulated markets in the case of two well-known browsers, Firefox and Chrome. Our analysis shows that financial reward is the main motivation for most discoverers, whose numbers are increasing every year. In addition, we studied the correlation between vulnerability markets and the vulnerability lifecycle from many perspectives, including theoretical concepts, and statistical approaches. Furthermore, we discussed the potential risks for people and organizations in terms of security and economics. We believe that money is the main motivation in vulnerability markets and that the latter are, in turn, the main driver of the vulnerability lifecycle, which presents several risks to the software industry and to society itself. Thus, in our opinion, if vulnerability markets can be controlled, the vulnerability lifecycle will be reduced or eliminated, along with its associated risks.