copyright notice
link to the published version: IEEE Computer, December, 2019

accesses since September 2, 2019

Moral Hazards in the Cyber Vulnerability Markets


Hal Berghel and Alex Hoffman

The cyber vulnerability market arose from bug bounty programs initiated in the 1980s. Originally created to provide programmers, end-users, and security professionals an opportunity to report code vulnerabilities, it has since become a cottage industry that serves many masters with very different motives.

Bug bounty programs may be distinguished by the nature of their management. Internal programs are run by software companies themselves, while 3rd party programs are managed by intermediaries or brokers that operate either as for-profit businesses or clandestine services. These 3rd party programs fuel the grey and black markets for software vulnerabilities that benefit software developers or cyber mercenaries, respectively, especially state actors who seek to acquire robust cyber warfare tools. The largest consumer of black market software vulnerabilities is most likely the U.S. National Security Agency’s Vulnerability Equities Process (VEP). The motives behind these two markets are very different, the former being primarily economic while the latter is cyber-political.


The most sought-after vulnerability to hackers, cyber-mercenaries, and the military-industrial complex, is the zero-day which, by definition, has never been observed “in the wild” and hence for which there have been no identifying signatures and defensive measures developed. In short, the entire Internet is vulnerable. It has been speculated that the black market for zero-days began in late 2005 when the Windows Metafile (WMF) vulnerability was sold for $4,000. [DANCHEV] According to the same author, that began serious study on the economic potential of zero day market. The rest, as they say, is history. It is not unusual for the most dangerous vulnerabilities to sell for hundreds of thousands (or perhaps millions) of dollars. Cyber mercenaries discovered early on that the big money was in selling to the highest bidder [GREEN1]– and the highest bidders intend to use the vulnerabilities offensively.

The black market in vulnerabilities presents governments that purport to be democratic with a conundrum – the first of two identifiable moral hazards. They can report the vulnerabilities to the developers to contribute to the safety and security of its citizens, or they can cloister the malware in an offensive stockpile for use as cyber weaponry against adversaries. [SCHNEIER] This was one of the key questions that the Obama administration sought to resolve when It commissioned the President's Review Group on Intelligence and Communications Technologies in 2013. The resulting report, Liberty and Security in a Changing World [LIBERTY], was relatively well-balanced for the product of a bureaucracy led by proponents of government surveillance. As was written at the time, “ this report falls in the Shakespearean category of much ado about nothing. Though it doesn't accomplish much, it doesn't seem to do much harm either, and that's a good thing .” [BERGMH] That said, the report did reveal some interesting facts to the few citizens who were willing to read it. It actually recommends that the government do nothing to “subvert, undermine, weaken, or make vulnerable generally available commercial software,” a point to which we now turn.

Although the report doesn't specifically refer to VEP, the authors were thinking about it when they suggested that the government security agencies not be given carte blanch in the use of zero day vulnerabilities. The report recommended that “Before approving use of the Zero Day rather than patching a vulnerability, there should be a senior-level, interagency approval process that employs a risk management approach.” This sentence is the government-ese, Orwellian double talk, or political psychobabble equivalent of saying that the interests of the citizens should not be dismissed out-of-hand when the government stockpiles malware. For bureaucrats, this is an important consideration for it recommends that at least some concern be given to the public interest in such matters. (Actually, we might more accurately use the expression ‘what the public considers the public interest,' for the public and their elected officials frequently disagree on what the public interest actually is.)

The importance of this point was brought home three years later when the hacking group Shadow Brokers published information on stolen NSA files (including archived zero days) on the internet. [SCHNEIER2], [PERLROTH1]. According to Kaspersky Labs, digital signatures of the hacking tools used by Shadow Brokers were similar to those found in in software used by the Equation Group ( , (Kaspersky provides an Equation Group FAQ at ). Dan Goodin has observed that “ The use of zero-day exploits later used in both the Stuxnet worm that disrupted Iran's nuclear program and the Flame malware platform targeting the Middle East demonstrated that Equation Group had clear connections to the National Security Agency or a related US hacking arm.” [GOODIN]

The Shadow Brokers case illustrates how much of a moral hazard VEP presents. As Dave Aitel and Matt Tait have observed, the US government “… has confused a public relations strategy with a security strategy, to the detriment of the nation.” [AITEL] As with all moral hazards, the problem appears when disincentives motivate conduct that is inconsistent with avowed objectives. [BERGMH] Specifically, it's not obvious that VEP as it is currently instituted will make us safer than if the US government were to remove itself from the zero day supply chain. [ANTHONY] The absence of confirmable positive advantage suggests that extensive future public discussion should be encouraged.


The original bug bounty program was intended as a remunerative vehicle by which people can ethically report software defects (aka bugs) to companies. Typically, such bugs are related to security vulnerabilities, so a bug bounty program, at least in the ideal case, incentivizes people to do the right thing and report bugs to the developer. Bug bounty programs tend to follow a typical crowdsourcing model where there is an open call for people to anonymously test software [LATOZA]. Participating companies initiate their bug bounty program by announcing it openly. This allows certain testing for security vulnerabilities without liability. It should be noted that some companies, such as Oracle, are opposed to having their software examined for security vulnerabilities [DAVIDSON], so security detectives should be careful not to breach licensing agreements or laws. To ameliorate legal concerns, [DISCLOSE.IO] is attempting to “…standardize best practices around safe harbor for good-faith security research.”

In fact, is working to provide a framework for ethical security research. Their work involves building a set of best practices for people to collaborate with companies on bug bounty hunting. Such efforts to establish a vendor-neutral vulnerability reporting framework have no downside from the public perspective, however it would be naïve to think that they would be universally welcomed by vendors as it violates the essential premise of faith-based security: security through obscurity [BERGFBS]. It is not unusual for technology companies to avoid any investigation into the suitability of their product. In fact, the recent Theranos fraud investigation is remindful of the tenacity with which technology companies may attach themselves to corporate secrecy. [CARREYROU]

It has been reported that the first known bug bounty program started in 1983 [MARKS]. Netscape launched the first modern, crowd- sourced bug bounty program [FRIIS-JENSEN] that offered tiered rewards to people in late 1995. While Netscape's program was a way to discover all types of defects, there was one key difference between that version and the iterations that exist today: their program was only applicable during the Netscape Navigator 2.0 beta testing. It took seven years for the next company, IDefence, to pick up where Netscape left off, and in so doing take the modern approach to test live production software. Two years later TippingPoint joined IDefence as a broker for security vulnerabilities. They would pay people a few hundred dollars for finding bugs, and in turn the company would sell the information about the vulnerability to the target company. [ FRIIS-JENSEN ]

While Mozilla has the current longest-running bug bounty program, Google accelerated the movement in 2010 by enticing broad participation in crowdsourced vulnerability discovery. [HOPPING], [FRIIS-JENSEN]


Current bug bounty programs are either internally managed programs (IMP) or third-party managed programs (TMP). IMPs favor larger technology companies like Google, Microsoft, Facebook, and Intel as they are able to devote adequate monetary and human resources to the task. TMPs on the other hand favor smaller and non-technology-based companies. Starbucks, Netflix, GM, Twitter, and Snap are examples of companies that rely on TMPs. Examples of TMPs include Hackerone [HACKERONE], Bugcrowd [BUGCROWD], and Cobalt [COBALT]. Of course there are exceptions to these rules. Johnson and Johnson is a company that doesn't specialize in computing while administering its own bug bounty program [PRODUCTSECURITY], while Snap and Netflix are computing companies that use TMPs. [BUGCROWD - NETFLIX], [HACKERONE - SNAPCHAT] Even the U.S. Federal government is getting in on the bug bounty action with the Air Force, DoD, and other three-letter agencies dabbling in the practice. There is discord at the federal level, with DHS trying to work holistically across the government and private sector to mitigate cyber risk while the FBI considers bounty programs "a little overhyped" for the government [HECKMAN]; thus further discourse in this area will be saved for a subsequent work.

By way of comparison , Google's bounty program has paid out over $15 million since 2010 [PROTALINKSI], with the highest payout associated with their Android platform. Facebook, has expended $7.5 million since 2011 [NEWMAN]. It is worth noting that Microsoft was the last of the three to start a bug bounty program [GOODIN 3] [BRIGHT], but they are already near the top of the annual payout scale with $2 million paid out in 2018 alone with plans to expand their program in 2019 [TUNG]. Like Google, they have multiple different programs and varying reward tiers within each of them, but unlike Google they announced in 2019 that while they will maintain an IMP, they are outsourcing the payment process to HackerOne [TUNG]. Recognition for bounties will be rewarded on both Microsoft and HackerOne leaderboards.

At this writing, (2012) is the largest of the TMPs by investment dollars. It was founded in 2012 by two Dutch hackers along with a Dutch entrepreneur and Facebook's head of product security . [PERLROTH2] They have raised $74 million in venture funding [CRUNCHBASE - HACKERONE] and employ the largest group of hacker/programmers. Starbucks, Twitter, Uber, Snap, and HBO all use HackerOne's bug bounty platform. Even Google employs HackerOne's help with the GooglePlay store, and as mentioned previously, Microsoft started using HackerOne for their payment processing in 2019. was also founded in 2012, but they trail HackerOne in investment dollars at $48.7 million [CRUNCHBASE - BUGCROWD]. BugCrowd has a slightly different model where they internally employ verification engineers to manually check every bug submitted through their platform in order to ensure a certain standard of defects being submitted [BUGCROWD — ASE]. They also boast an impressive customer list headlined by Tesla, Cisco, Netgear, Atlassian, and Okta. [BUGCROWD 2] is the newest and by far the smallest of the three start-up companies by investment dollars. It was started in 2013, and it has only raised $8 million in funding to date [CRUNCHBASE - COBALT]. Notable companies using Cobalt include Sales Force, Kredit Karma, and Go Daddy.

Other companies such as Synack [SYNACK] compete in this market, but do not strictly crowdsource their bug bounty program. These “closed ecosystem” environments are not discussed here.


As with VEP, both types of bug bounty programs discussed above enable misplaced incentives, although IMPs are less assailable in this regard. This holds true for all “bounty” programs, and is not unique to the software industry. The general problem is that open bounties may encourage participation by the ‘wrong people for the wrong reasons' at least from the point of view of the principal's interests. There is a parallel in this regard between bug bounties and traditional bounty hunters (aka, bail/fugitive recovery agents, surety agents, skiptracers, etc.) which is the reason that the activity is banned in all but the U.S. and some of its territories. While the parallel isn't precise, making it is informative.

In the ideal case, bounties are offered to encourage people to do the right thing (show up for trial, report software bugs) – read: what is in the best interest of the patron (society, government, stockholders, etc.). However, in the zeal to satisfy these interests, bounty supporters frequently ignore potential moral hazards like encouraging behavior that is as unlawful as that which justified the bounty. The arrest of the star of the TV series Dog the Bounty Hunter on charges of illegal detention and conspiracy for the alleged kidnapping of a fugitive cosmetics heir illustrates that the motives of a bounty hunter may be mixed and not necessarily consistent with those of the sponsor. [BONAWITZ] The same applies to bug bounty hunters. The bounty may entice hunters to sell any discovered bugs to a higher bidder than the sponsor, thereby defeating program objectives. The bounty program may be perceived as a fallback if no better price for detected bugs can be found.

Another downside is that a bounty program can create a free-for-all for bug detection, including ‘inconsequential' bugs the reporting of which might delay software release or distract the manufacturer from important product development. In addition, software testers involved in bounty programs may not have the ability to discriminate the potential for negative consequences of bugs. [VOTIPKA] Reporting low potential (LOPO) bugs may become more of a distraction for developers than an asset. For legal reasons when developers ignore reported bugs of any stripe, they increase their liability. Developers may also be unwilling to pay to eliminate every possible bug in software prior to release, so the effect of the program may be only to increase the number of people who are aware of non-critical, LOPO bugs.

Finally, there is the issue of the vetting of the participants in bug bounty programs. As with their extra-judicial counterparts, there are no certifications and background tests involved.


Compensation is either a monetary reward or informal in-kind exchange. Many companies publish a price list for bug bounties based on type of bug, severity, and reporting status. Companies will usually pay only for the initial bug report, although there are exceptions. In 2019, Microsoft offered fractional compensation for a report of an internally known bug [MSRC]. In-kind exchange may involve discounts of products and services, air miles [OSBORNE] or public recognitions (e.g., leaderboards [DENNIS]). Some professionals consider bug reporting as part of their professional responsibility. The ACM Code of Ethics, for example, holds that computing professionals have a responsibility to report “any signs of danger from systems”. [ACM]

Bug detection may be remunerative outside of either of the afore-mentioned bug bounty programs. Brokers and resellers such as TippingPoint and IDefence (purchased by Verisign) [FRIIS-JENSEN] work in much the same way as news aggregators – they re-package source material (in this case software bugs) for particular audiences (in this case developers) for a commission or fee. Exodus Intelligence even provides a zero-day subscription service with a guaranteed minimum of relevant reports to enterprise networks. [EXODUSINTEL.COM]

A variation on this theme is the grey/black market industry where all manner of computer threat vectors (bugs, malware, threat signatures, compromises, etc.) are sold for profit to state-actors and their constituencies [CURTIS]. In our view, distinctions between grey and black labels seems ad hoc, arbitrary and a motivated by public relations more than policy considerations . Perhaps a better term would be taupe market. In any event, the same motives are involved in both black and grey markets: sell the information to the highest bidder consistent with global political bias and personal agenda, whether it be a sale to a broker for the industry (the grey part of the scale) or the sale to a state sponsor, cyber mercenary, or criminal organization (black component). We emphasize that in neither case is the motivation the health of the software industry or security of the end user.

These markets are driven by the consumers: the NSA VEP, other 3-letter government agencies, intelligence/defense “pure plays” (i.e., companies whose primary revenue is government contracts), foreign governments, and occasional independent bad actors. This industry contributes to the cyber-mercenary backbone of the much larger military industrial complex spine and involves many of the same players. As we mentioned, there is a lot of money involved in the grey market. It has been reported that Zerodium offers up to $2,000,000 for high-risk, zero day vulnerabilities [ZERODIUM.COM], [GOODIN 2] the ultimate destination for and use of would not be disclosed. At this writing no definitive assessment has been published that sheds light on economics of the grey/black market. It is even unknown how companies account for their bounty budgets.


The study of bug bounty programs offer insights into many different perspectives on security within the technology sector and technology programs within other sectors. Each perspective seems to carry with it unique moral hazards. Industry-supported bug bounty programs send mixed messages and attract participants with varying skill levels and different agendas, not all of which are entirely consonant with industry objectives and the interests of end-users. On the other hand the grey/black market operates independently and at cross-purposes with the industry initiatives and draws upon the skills of what we would assume would be a largely independent group of participants. A thorough analysis of these two groups (bug bounty participants and grey/black market operatives) identities and their inter-relationships would be fascinating, and in our view is essential to any risk analysis worthy of the name. We hope that social scientists are drawn to such study. In the meantime, ground truth data is minimal and our understanding is necessarily fragmentary.


[ACM] Association for Computing Machinery, “ACM Code of Ethics and Professional Conduct,” ACM Ethics , June 22, 2018. Available:

[AITEL] D. Aitel and M. Tait, “Everything You Know About the Vulnerability Equities Process is Wrong,” Lawfare , August 18, 2016. Available:

[ANTHONY] S. Anthony, “The first rule of zero-days is no one talks about zero days (so we'll explain),” Ars Technica , October 20, 2015. Available:

[BERGFBS] H. Berghel, “Faith-Based Security,” Communications of the ACM , vol. 51, no. 4, pp. 13-17, April, 2008. Available:

[BERGMH] H. Berghel, “Moral Hazards, Negative Externalities, and the Surveillance Economy,” Computer , vol. 47, no. 2, pp. 11-15, February, 2014. Available:

[BILGE] L. Bilge and T. Dumitras, “Before we knew it: An empirical study of zero-day attacks in the real world,” In: Proc. 2012 ACM Conference on Computer and Communications Security, 2012, pp. 833-844. DOI:10.1145/2382196.2382284

[BONAWITZ] A. Bonawitz, “Duane ‘Dog” Chapman Arrested,” CBS News , September 15, 2006. [Online], Available:

[BRIGHT] P. Bright, “ Microsoft pays $100K for new exploit technique, patches IE 0-day,” Ars Technica , October 9, 2013. [Online], Available:

[BUGCROWD – NETFLIX] Bugcrowd, “Netflix,” Bugcrowd . [Online], Available:

[BUGCROWD] Bugcrowd, “Bugcrowd Cybersecurity Platform,” Bugcrowd . [Online], Available:

[BUGCROWD 2] Bugcrowd, “The Most Trusted Crowdsourced Security Company,” Bugcrowd . [Online], Available:

[BUGCROWD—ASE] Bugcrowd, “Getting Started with Bugcrowd | FAQs” Bugcrowd. [Online], Available:

[CARREYROU] J. Carreyrou. Bad Blood: Secrets and Lies in a Silicon Valley Startup . New York, NY: Knopf, 2018.

[COBALT] Cobalt, “Cobalt Application Security Platform,” Cobalt . [Online], Available:

[COPPOCK] M. Coppock, “Microsoft and Google Are Paying More Than Ever to Those Who Find Bugs in Their Systems,” Digital Trends , March 6, 2017. [Online], Available:

[CRUNCHBASE - BUGCROWD] Crunchbase, “BugCrowd,” Crunchbase , (n.d.). [Online]. Available:

[CRUNCHBASE - COBALT] Crunchbase, “,” Crunchbase , (n.d.). [Online]. Available:

[CRUNCHBASE - HACKERONE] Crunchbase, “HackerOne,” Crunchbase , (n.d.). [Online]. Available:

[CURTIS] S. Curtis, “Hackers tap into 'grey market' for legal bug sales,” Telegraph, June 10, 2015. [Online]. Available:

[DANCHEV] D. Danchev, “Black Market for zero day vulnerabilities still thriving,” ZDNet , November 2, 2008. [Online]. Available:

[DAVIDSON] M. Davidson, “No, You Really Can't,” Oracle Blogs: Mary Ann Davidson (Archived), November 2, 2008. [Online]. Available:

[DENNIS] R. Dennis and G. Owen, “Rep on the block: A next generation reputation system based on the blockchain.” In Proc. 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST), 2015, pp. 131-138. DOI: 10.1109/ICITST.2015.7412073

[DISCLOSE.IO], , (n.d.). [Online]. Available: https://

[EXODUSINTEL] Exodus Intelligence, “Capabilities: Detect the Undetectable: Zero-Day Subscription,” Exodus Intelligence , (n.d.). [Online]. Available:

[FRIIS-JENSEN] E. Friis-Jensen, “The History of Bug Bounty Programs,” Cobalt Blog , April 11, 2014. [Online]. Available: programs-50def4dcaab3

[GOODIN] D. Goodin, “Confirmed: hacking tool leak came from ‘omnipotent' NSA-tied group,” Ars Technica , 8/16/2016. [Online]. Available:

[GOODIN 2] D. Goodin, “Wanted: Zeroday exploit prices are higher than ever, especially for iOS and messaging apps,” Ars Technica , January 7, 2019. [Online]. Available:

[GOODIN 3] D. Goodin, “ Now there's a bug bounty program for the whole Internet,” Ars Technica , November 6, 2013. [Online]. Available:

[GREEN1] A. Greenberg, “Meet the Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees),” Forbes , April 9, 2012. [Online]. Available:

[HACKERONE – SNAPCHAT] HackerOne. (n.d.). Snapchat.

[HACKERONE] HackerOne, Bug Bounty - Hacker Powered Security Testing , (n.d.). [Online]. Available:

[HOPPING] C. Hopping, “Teenage hacker makes $1m from bug bounty rewards,” IT PRO , March 4, 2019. [Online]. Available: bug-bounty-rewards

[LATOZA]  T. D. LaToza and A. van der Hoek, “Crowdsourcing in Software Engineering: Models, Motivations, and Challenges,” in IEEE Software , vol. 33, no. 1, pp. 74-80, Jan.-Feb. 2016. DOI:  10.1109/MS.2016.12

[LIBERTY] R. Clarke, M. Morell, G. Stone, C. Sunstein, and P. Swire, “Liberty and Security in a Changing World, Report and Recommendations of The President's Review Group on Intelligence and Communications Technologies,” 12 December 2013.

[MARKS] Paul Marks, “Bounties Mount for Bugs” 23 August 2018.

[MSRC] MSRC. “Microsoft Bounty Program Updates: Faster bounty review, faster payments, and higher rewards,” Microsoft Security Response Center , April 2, 2019. [Online]. Available: program-updates-faster-bounty-review-faster-payments-and-higher-rewards/

[NEWMAN] L. Newman, “Facebook, Under Scrutiny, Pays Out Largest Bug Bounty Yet,” WIRED , December 12, 2018. [Online]. Available:

[OSBORNE] C. Osborne, “United Airlines showers air miles on bug bounty researchers,” ZDNet , July 14, 2015. [Online]. Available:

[PERLROTH1] N. Perlroth and D. Sanger, “Hacks Raise Fear over N.S.A.'s Hold on Cyberweapons,” The New York Times , June 28, 2017. [Online]. Available:

[PERLROTH2] N. Perlroth, “ HackerOne Connects Hackers With Companies, and Hopes for a Win-Win,” The New York Times , June 7, 2015 [Online]. Available:

[PRODUCTSECURITY] Johnson & Johnson. “Product Vulnerability Disclosure Reporting,” Johnson & Johnson Product Security , (n.d.). [Online]. Available:

[HECKMAN] Heckman, Jory, FBI senior IT official: Bug bounties still useful, but ‘a little over-hyped', Federal News Network, July 18, 2019. ( )

[PROTALINSKI] E. Protalinski, “Google has paid security researchers over $15 million for bug bounties, $3.4 million in 2018 alone,” VentureBeat , February 8, 2019. [Online]. Available:

[SCHNEIER] B. Schneier, “Should U.S. Hackers Fix Cybersecurity Holes or Exploit Them?” The Atlantic , May 19, 2014. [Online]. Available:

[SCHNEIER2] B. Schneier, “Who Are the Shadow Brokers?” The Atlantic , May 23, 2017. [Online]. Available:

[SILENT CIRCLE] Silent Circle, “The Importance Of Bug Bounty Programs,” Silent Circle , January 25, 2018. [Online]. Available:

[SYNACK] Synack, Synack , (n.d.). [Online]. Available:

[TUNG] L. Tung, “ Microsoft: Our bug bounty payouts hit $2m in 2018 and we're offering more in 2019,” Ars Technica , April 4, 2019. [Online]. Available:

[VOTIPKA] D. Votipka, R. Stevens, E. Redmiles, J. Hu, and M. Mazurek. “Hackers vs. Testers: A Comparison of Software Vulnerability Discovery Processes.” In Proc. 2018 IEEE Symposium on Security and Privacy (SP) , 2018, pp. 374-391. DOI: 10.1109/SP.2018.00003

[ZERODIUM] Zerodium, “Our Exploit Acquisition Program,” Zerodium , (n.d.). [Online]. Available: