MIT Sloan researchers to present model on vulnerability discovery at RSA Conference

Findings show it’s not a bidding war on price

CAMBRIDGE, Mass., April 20, 2015 – When a popular product is launched, a high-stakes race begins between the offense and defense markets to find vulnerabilities. Recent bug bounty programs have changed market dynamics. Studying the true levers in the market, Michael Siegel, a principal research scientist at the MIT Sloan School of Management, and Katie Moussouris, chief policy officer for HackerOne, have created the first dynamic systems model to show the forces of supply and demand at work in the world of vulnerability discovery.

On April 21, Siegel and Moussouris will present the model at the RSA Conference in asession titled, “The World of Vuln Street: The 1st System Dynamics Model of the 0day Market”.

They will explain how price is not the sole force at work, and how defenders can gain an advantage. Their presentation will address several key lessons for organizations, including:

- The vulnerability market is not controlled by price alone. Many levers exist that tip the scales between attackers and defenders.

- Creating incentives for tools and techniques for vulnerability discovery is a more efficient way for defenders to drain the offensive stockpile.

- Bug bounties are still effective to help find vulnerabilities, especially in less mature software.

They also will explain how governments, which are in the role of both attacker and defender, need to broaden the focus of policy debates, it is not just about whether or not to stockpile individual vulnerabilities for offense.

When they find an individual vulnerability, Siegel and Moussouris maintain governments reap defense gains when they make vulnerability discovery tools and techniques available to defenders.

Michael Siegel is a principal research scientist at MIT Sloan and the co-director of the PROductivity from Information Technology (PROFIT) Project. His research interests include the integration of information and the use of modelling and data analytics to analyze complex systems.

Katie Moussouris is chief policy officer for HackerOne, a platform provider for coordinated vulnerability response and structured bounty programs. She directs the company's philosophy on vuln disclosure, advises customers and researchers, and works to legitimize and promote security research to help make the Internet safer for everyone. Her earlier Microsoft work encompassed industry-leading initiatives, such as Microsoft's bounty programs.

The MIT Sloan School of Management is where smart, independent leaders come together to solve problems, create new organizations, and improve the world. Learn more at mitsloan.mit.edu.