Vulnerability market as a public-good auction with privacy preservation

Exploitations of zero-day vulnerabilities cause enormous damages to organizations. Hence, organizations would invest in buying zero-day vulnerabilities to patch their systems. On the other hand, hackers are interested in buying zero-day vulnerabilities to exploit their targets. Considering such a market, the vulnerability finder decides whether to sell the vulnerability information to the organizations or to the hackers in the black market. In this paper, we model the vulnerability market as a public-good auction where the organizations collaboratively bid for the vulnerability information. In this case, an organization determines how much to invest in the vulnerability information to maximize its payoff. First, we characterize the auction and study the bidding strategies in centralized and decentralized approaches, and then, we compare the efficiency of the coalition. Moreover, as the bidding value in such an auction is sensitive information, we present a novel privacy-preserving mechanism based on cryptographic primitives to protect the organizations' bidding value. Our mechanism can also be applicable in other public-good auctions. Security analysis and performance evaluation are conducted showing the practicality of our proposed mechanism. (C) 2020 Elsevier Ltd. All rights reserved.