Characterising 0-Day Exploit Brokers

Matthias Dellago, Daniel W. Woods, Andrew C. Simpson

Research output: Contribution to conferencePaperpeer-review

Abstract / Description of output

0-day brokers are market makers who serve both adversaries seeking to exploit computer systems and researchers who develop the means to do so. This involves searching for buyers/sellers, negotiating prices and contracts, and monitoring the contract. In this paper we characterise the search aspect of 0-day broking. We extracted longitudinal data on two brokers who list prices on a public website and then plotted how the price of different types of exploit and targeted systems changed over time. As the data is not updated sufficiently regularly or frequently to build a timeseries model, we conducted a regression analysis of the most recent snapshot of prices. The results suggest that properties of the exploit (e.g. the functionality it achieves) provide the most explanatory power, and that the system targeted by the exploit provides less explanatory power. We compare the price of exploit to three metrics (number of CVEs, detected 0-days, and user base) over time. Finally, we discuss what inferences we can make about systems security and the operations of adversaries, hypothesising a trade-off between secrecy and the competitiveness of the supply-side. 0-day brokers who publicly advertise prices offer cheap exploits but little secrecy.
Original languageEnglish
Number of pages25
Publication statusPublished - 22 Jun 2022
EventThe 21st Workshop on the Economics of Information Security - Tulsa, United States
Duration: 21 Jun 202222 Jun 2022
Conference number: 21


WorkshopThe 21st Workshop on the Economics of Information Security
Abbreviated titleWEIS 2022
Country/TerritoryUnited States
Internet address


Dive into the research topics of 'Characterising 0-Day Exploit Brokers'. Together they form a unique fingerprint.

Cite this