VMark: market standard for cybersecurity risk
Reflexive Prediction Markets
I was going to write about reflexive prediction markets here, but realized it was enough for its own page, see Reflexive Prediction Markets.
"We regret to inform you that we didn't change the default credentials, but we still deeply care about your privacy"
Every company ever that’s been breached "really respect(s) your security and is deeply sorry that it happened" and when the postmortem comes out a few weeks later, it's heartfelt but also their Apache Struts credentials were still the default admin:admin.
- Company stock price doesn't go down. Not saying that the stock price "should" change, stock prices are gonna stock price, leave Adam Smith out of this.
- Your information is now public (if it wasn't already)
- Congratulations on your new 90-day LifeLock subscription (third one this year)
And like that, the story goes on. Except Mythos "changes everything" , and even if you don't believe it, we'll discover more vulnerabilities.
“It is a truth universally acknowledged, that a security researcher in possession of a zero-day must be in want of a way to monetize.”
0-days are a stockpile of strategic pain, chaos, and disorder just waiting to be used.
At least at time of writing, it does not make sense to invest tokens / cycles on finding 0-day exploits, because there isn't really a good market for them (unless you know a guy who knows a guy). A lot of these things are waiting to be discovered, but there isn't a "good guy greg" path to monetization.
So what if:
- humans and agents will always make mistakes
- what if there was a way to price this in
- moreover, what if there was a way to make the pricing reflexive?
Also, what is a 0-day worth? Adam Smith chimes back in and reminds us - it's what a buyer is willing to pay. If that buyer is state-sponsored and is literally in the business of printing their own money and they really want exploits, that number will be higher.
Bug Bounty Burnout
Companies are getting better at this with things like million-dollar bug bounties for critical exploits, as they should, but that's still no competition for state-sponsored budgets.
Bug Bounty marketplaces don't work for 0-days because someone who has a valuable exploit is not going to use it if the reward is a small check and a hoodie and a long email thread with the legal department.
In fact, one of the biggest problems I see in bug bounty marketplaces is that they're really tiring to operate. If you put up a $250 bounty, you will get responses from $250 security researchers. The answer here isn't LLMs or pre-filtering of submissions - it's a different mechanism completely.
Ransomware: the "even if" alternative
Let's say you made a market where there was exactly 1 buyer, and your marketing campaign was reaching out anonymously, and the problem was one that you're about to solve for them (but you also just invented it).
Congratulations, you've just invented ransomware.
Problem is, imagine you got your $10M ransom paid. Now you have another problem: you're now long ZCash (just kidding), the problem is that now you have to find a way to bring it back into the traditional financial system. And the statute of limitations for laws preventing you from hacking an oil company, is a long one.
Net Present Value of a $10M paid bounty is probably $2M today
So you're going to spend the rest of your life playing catch me if you can. Your $10M ransom is probably worth $2M once you factor in the loss in quality-of-life and being on the run for the rest of your life.
Not only that, but you're so busy using Tor that you probably won't be doing the thing you're really good at: finding more 0-days.
Are we destined for doom? No, we just need a better path to monetize.
What if we assumed:
- there will always be misconfigured infrastructure
- humans and agents will always introduce bugs, no matter what
We're doomed, right?
Wrong. What we need is a better way to monetize cyber-attacks and critical software vulnerabilities.
At least three categories of vulnerabilities:
| Related to | Example |
|---|---|
| How you configured your infrastructure | we meant to BLOCK ALL from 0.0.0.0/0 but the key was mis-typed by the deeply regretful finger that actually typed 1.0.0.0/0 |
| Software you wrote and you run | vulnerability in your custom wordpress plugin |
| Software someone else wrote, everyone runs | Heartbleed, "0-days" |
There are many great frameworks for evaluating severity, like MITRE's CVSS.
Verifiable Attacks
Prediction Market on DNS Poisoning
Next, let's narrow the scope. Let's make a market, but only for DNS poisoning.
DNS is a great first start because it's a critical protocol and DNS poisoning attacks can be quite bad. Maybe we could also apply it to BGP and traffic shaping. But DNS for now.
OK.
Domain: omarish.com Resolving event:
- there exists a
TXTrecord with key =vmark_flag - value =
sha256of<your email>,- then two null bytes,
- then a markdown document that explains how you poisoned the DNS.
If someone is able to do this, it's essentially the same privilege required to write a new A record (I think).
Key Compromise
Sign a message with my key and post it somewhere public.
Root Access / Privilege Escalation
Device Takeover
Data Exfiltration
dd if= of a specific filesystem, sha256 it?
What these things have in common
- Hard to do, easier to verify
The Oracle
When I think of this idea, there's always an oracle as part of the on-chain mechanics. I'm not sure exactly how it works, but there are on-chain marketplaces that do things far more complex than this. Essentially, let's imagine we had a pool of 100 verifiers. Pick 10 of them at random. They get to read the attack disclosure. They have an opportunity to flag something that might be an invalid attack path. I can't think of what one would be, other than a fraudulent one (like me changing my own DNS records in the omarish.com example).
Something something proof of staking, rewards, etc. We've figured out on-chain consensus already; these constructs probably already exist.
Objections, and some reasons why this wouldn't work
Isn't this just funding attacks?
No this is funding security. Yes, presumably there would be some time between 1. the market resolving and 2. the vulnerability being patched, ideally in that time frame, the system in question gets fixed.
Why would a speculator take this bet?
There's no such thing as bad risk, only mis-priced risk. This is an intellectual answer, but I wonder if there's something like a hybrid pari-mutuel / on-chain perpetual swaps market.
0-days
This gets really interesting when we think about 0-days.
(TODO)