- Mathieu Provencher
Promoting White Hats
Do you guys know what "White Hats" are in the hacking community? How could we make more hackers/programmers join this group? This is clearly Micro!
Companies have started offering rewards for hackers that identify a vulnerability and offer a patch for it. Some companies offer well over $100'000 for that!!!! However, there is indeed a black market for these same vulnerabilities. An interviewee I was listening to lately argued that companies must offer at least the same amount as the black market price in order to get these black hats to "convert" and give the information. Although this is very intuitive, I believe it is wrong... I think companies can offer a reward lower than the black market price and still get enough white hats to stop their threats.
Hacking information is a product unlike many others, it is what we call a non-rivalrous product (a service in this case). That means that the consumption by one individual doesn't stop the consumption for other individuals.
Let's assume that there is a potential breach in security in a specific platform and that three people are able to find it (in a relatively short amount of time let's say). Assuming that the three of them want to sell that information at the highest price possible (let's put aside morality here, which would reinforce my argument even more), a genuine source (the manufacturer of the platform for example) could buy that information at a lower price than the highest it will be bought at.
How you ask me? Here's how: A competitor might want to pay a fairly high price for the information in order to hurt the firm operating that platform, and as such will most probably be able to find a seller fairly easily. As such, one of the three hackers can make a nice profit by selling to the competitor (which offers the most amount of money). Once this is done, that competitor will not want to buy any more "versions" of that product because it wouldn't help in any way (once you know the weakness, you don't need to learn it again and again, assuming that there would only be one weakness in this case).
As such, there are still two hackers that want to sell that information and now less buyers are interested (one already got it). The next individual offering more money for the information will get it from one of the two hackers, probably at a lower price than what the first company paid (because now the first one is out of the market). Once this is done, the company will not continue wanting to buy the information since it already got it. Eventually, there will be less and less buyers for the information, as the ones wanting to offer the most already have it, and the price the reminding hackers will expect to get for their information will decrease... up to a point where the genuine source (the company that created the programme to start with) will be the one offering the most amount of money, at which point it will buy it and repair the weakness.
See guys, the "usual" markets we see in class are called private products, they are rivalrous and excludable, which means that one person's consumption will stop someone else's consumption and that people can be charged for the product. Anything outside these assumptions can give very different outcomes. See you guys around!