Markets for zero-day exploits (software vulnerabilities unknown to the vendor) have a long history and a growing popularity. We study these markets from a revenue-maximizing mechanism design perspective. We first propose a theoretical model for zero-day exploits markets. In our model, one exploit is being sold to multiple buyers. There are two kinds of buyers, which we call the defenders and the offenders. The defenders are buyers who buy vulnerabilities in order to fix them (e.g., software vendors). The offenders, on the other hand, are buyers who intend to utilize the exploits (e.g., national security agencies and police). Our model is more than a single-item auction. First, an exploit is a piece of information, so one exploit can be sold to multiple buyers. Second, buyers have externalities. If one defender wins, then the exploit becomes worthless to the offenders. Third, if we disclose the details of the exploit to the buyers before the auction, then they may leave with the information without paying. On the other hand, if we do not disclose the details, then it is difficult for the buyers to come up with their private valuations. Considering the above, our proposed mechanism discloses the details of the exploit to all offenders before the auction. The offenders then pay to delay the exploit being disclosed to the defenders.

中文翻译：

---

零日漏洞利用市场的收入最大化

零日漏洞（供应商未知的软件漏洞）市场历史悠久，并且越来越受欢迎。我们从收入最大化机制设计的角度研究这些市场。我们首先提出了一个零日漏洞利用市场的理论模型。在我们的模型中，一个漏洞被出售给多个买家。有两种买家，我们称之为捍卫者和进攻者。防御者是购买漏洞以修复漏洞的买家（例如，软件供应商）。另一方面，违规者是打算利用漏洞的买家（例如，国家安全机构和警察）。我们的模式不仅仅是单件拍卖。首先，漏洞利用是一条信息，因此一个漏洞利用可以出售给多个买家。其次，购买者具有外部性。如果一名后卫获胜，那么漏洞利用对犯罪者来说就变得毫无价值了。第三，如果我们在拍卖前向买家披露漏洞利用的细节，那么他们可能会带着信息离开而不付钱。另一方面，如果我们不披露细节，那么买家很难提出他们的私人估值。考虑到上述情况，我们提出的机制在拍卖前向所有违规者披露了漏洞利用的详细信息。然后，攻击者付费以延迟向防御者披露漏洞。我们提议的机制会在拍卖前向所有违规者披露漏洞利用的详细信息。然后，攻击者付费以延迟向防御者披露漏洞。我们提议的机制会在拍卖前向所有违规者披露漏洞利用的详细信息。然后，攻击者付费以延迟向防御者披露漏洞。