Tampere University of Technology

TUTCRIS Research Portal

Trading exploits online: A preliminary case study

Research output: Chapter in Book/Report/Conference proceedingConference contributionScientificpeer-review


Original languageEnglish
Title of host publicationIEEE RCIS 2016 - IEEE 10th International Conference on Research Challenges in Information Science
ISBN (Electronic)9781479987092
Publication statusPublished - 23 Aug 2016
Externally publishedYes
Publication typeA4 Article in a conference publication
Event10th IEEE International Conference on Research Challenges in Information Science, IEEE RCIS 2016 - Grenoble, France
Duration: 1 May 20163 May 2016


Conference10th IEEE International Conference on Research Challenges in Information Science, IEEE RCIS 2016


A software defect that exposes a software system to a cyber security attack is known as a software vulnerability. A software security exploit is an engineered software solution that successfully exploits the vulnerability. Exploits are used to break into computer systems, but exploits are currently used also for security testing, security analytics, intrusion detection, consultation, and other legitimate and legal purposes. A well-established market emerged in the 2000s for software vulnerabilities. The current market segments populated by small and medium-sized companies exhibit signals that may eventually lead to a similar industrialization of software exploits. To these ends and against these industry trends, this paper observes the first online market place for trading exploits between buyers and sellers. The paper adopts three different perspectives to study the case. The paper (a) portrays the studied exploit market place against the historical background in the software security industry. A qualitative assessment is made to (b) evaluate the case against the common characteristics of traditional online market places. The qualitative observations are used in the quantitative part (c) for predicting the price of exploits with partial least squares regression. The results show that (i) the case is unique from a historical perspective, although (ii) the online market place characteristics are familiar. The regression estimates also indicate that (iii) the pricing of exploits is only partially dependent on such factors as the targeted platform, the date of disclosure of the exploited vulnerability, and the quality assurance service provided by the market place provider. The results allow to contemplate (iv) practical means for enhancing the market place.


  • attack code, cyber security, e-commerce, offensive security, penetration testing, software vulnerability