[Dailydave] Faster, smashter. (fwd)
Charles Miller
cmiller at securityevaluators.com
Wed Dec 10 10:28:34 EST 2008
I wrote some about this too:
http://weis2007.econinfosec.org/papers/29.pdf
I like the idea of a derivative market. Its the only way I've heard
where you can make money by dropping 0-days on full disclosure, for
example. The drawback is that I know I can make 100k for my IE
exploit, but I don't know how much I can make by buying the "IE sucks"
derivative. There will only be so many people willing to buy the "IE
is rock solid" one and once I start buying up the "IE sucks" one, it
will be even harder to make a big score.
Charlie
On Dec 10, 2008, at 1:40 AM, Thorsten Holz wrote:
> On Dec 10, 2008, at 3:19 AM, sinan.eren at immunitysec.com wrote:
>
>> I would appreciate ideas to tie the value of a vulnerability to a
>> premium, any
>> quants who do security as well ?
>
>
> Rainer Böhme discussed the idea of exploit derivatives and cyber-
> insurances in a talk at CCC'05: http://events.ccc.de/congress/2005/fahrplan/events/801.en.html
> There is also a paper from the Workshop on the Economics of
> Information Security (WEIS 2005), in which Böhme discusses these ideas
> in more detail: http://infosecon.net/workshop/pdf/15.pdf
>
> Pretty interesting concept, but some obstacles need to be taken when
> implementing such a market (monoculture, correlation of attacks and
> such).
>
> Cheers,
> Thorsten
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
More information about the Dailydave
mailing list