Case #2029.0

The Vulnerability Economy: Zero-Days, Cybersecurity, and Public Policy

Publication Date: February 17, 2015
Current Stock:

Educator Access

A review copy of this case is available free of charge to educators and trainers. Please create an account or sign in to gain access to this material.

Permission to Reprint

Each purchase of this product entitles the buyer to one digital file and use. If you intend to distribute, teach, or share this item, you must purchase permission for each individual who will be given access. Learn more about purchasing permission to reprint.

In 2011, Dillon Beresford, a computer security expert, discovered a series of new vulnerabilities impacting components of widely used industrial control systems. These new previously unknown vulnerabilities-what are known as "zero-days"-were potentially very serious. Zero-day vulnerabilities are key components of computer viruses, worms, and other forms of malware. Vendors and security firms seek these flaws in order to patch and fix insecure software and hardware. Increasingly, however, nation states and criminals purchase zero-days from independent security researchers in order to develop new destructive cyberweapons and capabilities. Managing the growing trade in zero-day vulnerabilities is a key challenge for policymakers and corporate leaders. The case follows Beresford as he discovers a set of new zero-days and considers the different disclosure options available to someone in his position. The case reviews the mix of incentives that might encourage or discourage the discoverer of a new zero-day to: (1) disclose the flaw to the vendor of the insecure software or hardware privately; (2) disclose the flaw to the public, without notifying the vendor; (3) pursue a hybrid-strategy known as responsible or coordinated disclosure; (4) or opt to sell the vulnerability. The case illuminates the different costs and benefits of each of these approaches for the security researcher, the vendor of the flawed software or hardware, and the public at large. Ultimately, the case asks students to consider which model of disclosure is most beneficial for the public and to consider what policy levers are most useful in supporting that model.

Learning Objective:
The case is designed to support a discussion of the costs and benefits associated with competing models of vulnerability disclosure. The trade in zero-days is a growing area of policy concern. The case can be used in courses on cyber policy, science and technology policy, or national security. It can be used to explore the concepts of public goods, dual-use technologies, and externalities.

Other Details

Teaching Plan:
Available with Educator Access
Case Author:
Ryan Ellis
Faculty Lead:
Venkatesh Narayanamurti
Pages (incl. exhibits):
United States