Vulnerability market as a public-good auction with privacy preservation
Document Type
Article
Publication Date
6-1-2020
Abstract
Exploitations of zero-day vulnerabilities cause enormous damages to organizations. Hence, organizations would invest in buying zero-day vulnerabilities to patch their systems. On the other hand, hackers are interested in buying zero-day vulnerabilities to exploit their targets. Considering such a market, the vulnerability finder decides whether to sell the vulnerability information to the organizations or to the hackers in the black market. In this paper, we model the vulnerability market as a public-good auction where the organizations collaboratively bid for the vulnerability information. In this case, an organization determines how much to invest in the vulnerability information to maximize its payoff. First, we characterize the auction and study the bidding strategies in centralized and decentralized approaches, and then, we compare the efficiency of the coalition. Moreover, as the bidding value in such an auction is sensitive information, we present a novel privacy-preserving mechanism based on cryptographic primitives to protect the organizations’ bidding value. Our mechanism can also be applicable in other public-good auctions. Security analysis and performance evaluation are conducted showing the practicality of our proposed mechanism.
Publication Title
Computers and Security
Volume
93
Digital Object Identifier (DOI)
10.1016/j.cose.2020.101807
ISSN
01674048
Citation Information
Vakilinia, I., & Sengupta, S. (2020). Vulnerability market as a public-good auction with privacy preservation. Comput. Secur., 93, 101807.