Robert Lemos writes in Hacking Team Leak Could Lead to Policies Curtailing Security Research:
…
Within days, Netragard decided to exit the business of brokering exploit sales—a minor part of its overall business—until better regulations and laws could guarantee sold exploits went to legitimate authorities.
The decision underscores that the breach of Hacking Team’s network, and the resulting leak of sensitive business information, is continuing to have major impacts in the security industry.
The disclosure of seven zero-day vulnerabilities—four in Adobe Flash, two in Windows and one in Internet Explorer, according to vulnerability management firm Bugcrowd’s tally—has already enabled commodity attack software sold in underground malware markets to target otherwise protected systems.
“Those exploits were out there, but they were being used in a limited fashion,” Kymberlee Price, senior director of researcher operations at Bugcrowd, told eWEEK. “Now, they are being used extensively.”
Research has shown that a dramatic spike in usage, sometimes as much as a factor of 100,000, can occur following the public release of an exploit in popular software.
…
Imagine Rick‘s reaction on Pawn Stars if you were trying to sell him a very rare gemstone and the local news reports that 100,000 of them have just been discovered outside of Las Vegas, Nevada.
Public disclosure of zero-day vulnerabilities effectively guts the zero-day market for those techniques.
Now I understand why some security experts and researchers have promoted a cult of secrecy around zero-day vulnerabilities and other exploits.
Public disclosure, that enables customers to avoid exploits and/or put pressure on vendors, guts the market for sale of those same exploits to “legitimate authorities.”
Netragrad wants regulations to limit the sale of exploits, which keeps the exploit market small and the prices high.
I can understand its motivation from an economic point of view.
I am sure the staff at Netragrad sincerely intend:
0-days’s are nothing more than useful tools that when placed in the right hands can benefit the greater good.
That 0-day regulations will maintain the market price for 0-day’s is just happenstance.
If anything, 0-days and other exploits need more immediate and widespread publicity. That will be unfortunate for 0-day exploit sellers but they will be casualties of openness.
Openness is what will eventually create a disparity between vendors who exercise due diligence on cybersecurity and those who don’t.
Without openness, users are left at the mercy of 0-day vendors and “legitimate authorities.”
PS: There has been some indirect empirical research done on the impact of disclosure on exploit markets. See: Before We Knew It – An Empirical Study of Zero-Day Attacks In The Real World by Leyla Bilge and Tudor Dumitras.