HOW LUCRATIVE ARE VULNERABILITIES?

This report is intended for CISOs, security managers, and security practitioners who are familiar with vulnerabilities and zero-days and want a deeper understanding of the market dynamics driving their discovery and dissemination.

It explores the vulnerability-to-exploit (V2E) cybercrime and cybersecurity supply chain, outlines the players in the different market segments, and provides insights into the related economic drivers.

The Vulnerability-to-Exploit (V2E) supply chain straddles three different market segments — the white, gray, and black markets — and is composed of a variety of market players, from lone wolf rogue researchers to nation-states. The markets and players, while divided by their ultimate motives and objectives — defend and disclose versus attack and obfuscate — intersect and interact to create parallel, mirrored supply chains. The white market in vulnerabilities and exploits acts in the open, composed primarily of cybersecurity vendors and researchers, and making intelligence widely available. It has driven the price of zero-day exploits into astronomic six-digit figures, while also catalyzing the criminal black market to consumerize many capabilities required to conduct offensive operations, with cybercrime-as-a-service offerings available to anyone with the necessary funds. The gray market — with nation-states and state-sponsored agencies and actors acquiring and developing exploits for covert intelligence operations and motivated by national security concerns — drives the market in exploits and sets the floor price for exploits. These markets are symbiotic and share an ecosystem. By the time an exploit moves from the discovery of a vulnerability to ultimately being used in a breach, it will have jumped across at least two and sometimes all three of these markets.