WHAT IS THE ZERO-DAY VULNERABILITY ?
A zero-day vulnerability is a previously unknown flaw in a computer program that exposes the program to external manipulation. Zero-day vulnerabilities have been found in many OS & programs, including Chrome, Internet Explorer, Adobe, and Apple products. Zero-day vulnerabilities also appear in software running critical infrastructure, such as power plants. What differentiates a zero-day from other computer vulnerabilities, and what makes it valuable, is that it is unknown to the software’s makers and users. Whoever has knowledge of a zero-day can exploit it from the “zero-th” day of its discovery, until the software maker or users learn of it and fix the vulnerability. What makes a zero-day vulnerability different from other cyber tools is that it is simply information. A zero-day encapsulates the knowledge that X could happen if you do Y. As Auriemma and Ferrante of ReVuln, a zero-day seller, argue, “we don’t sell weapons, we sell information.” Other companies, however, do sell weaponized vulnerabilities – zero-day “exploits” – that contain new software code taking advantage of a zero-day vulnerability. Desautels, of vulnerability-seller Netragard, states Netragard sells exploits. Zero-day exploits range in complexity and functionality, from enabling access to, monitoring, extracting information from, or damaging a software program. For instance, the Stuxnet program allegedly used by the United States to damage uranium-enrichment Iranian centrifuges made use of four zero-day vulnerabilities.
The term zero-day “vulnerability” describes the software flaw itself. When a zero day vulnerability is sold, knowledge of the flaw is sold. The press often uses the term zero-day “exploit” interchangeably to describe knowledge of a flaw or new software code exploiting a flaw. In this article, the term “exploit” refers only to new code written to take advantage of a zero-day vulnerability. Although turning a vulnerability into an exploit can be relatively easy, motivations for finding and exploiting vulnerabilities often differ. For instance, cybersecurity researchers have less motivation to turn vulnerabilities into exploits than someone selling or buying zero-days. This distinction between a zeroday vulnerability and exploit, and the different groups interacting with them, is important to make when analyzing regulatory options for the zero-day vulnerability trade. Vulnerabilities are most exploitable if kept secret. Zero-days are discovered and not made, so there is no guarantee someone in possession of a vulnerability is the only person who knows about it. The value of secrecy complicates efforts to control the zero-day trade because it contributes to market opacity and lack of transparency about buyer and seller behavior.
Zero-days are traded in three markets. As defined in this article, the “white market” encompasses sales of vulnerabilities between zero-day vulnerability hunters and software vendors or third-party clearinghouses. The “black market” describes interactions where the buyer or the seller has criminal intent. The “grey market” involves interactions between vulnerability sellers and government agencies conducted as legal business deals. It also encompasses sales between vulnerability sellers and legal users of zero-day vulnerabilities, including high-end cybersecurity firms. This article distinguishes between “legal” and “legitimate” zero-day vulnerability markets. White-market and gray-market transactions are legal, and black market transactions illegal. The negative security ramifications of the grey market mean this article designates only white-market options legitimate. Grey-market firms, rather than freelance hackers, now sell more than half of zero-day vulnerabilities. NSS Labs included many of the firms in its market analysis, and concluded that “half a dozen boutique exploit providers have the capacity to offer more than 100 exploits per year, resulting in privately known exploits being available on any given day,” at minimum. One seller identified the decreased risk of getting ripped off, the possibility of job offers, and stable contracts with government or industry clients as reasons vulnerability hunters choose to operate on the grey market.