Software Security's Futures Plural
An update on BeeWise.
Abstract. Security stakeholders face a challenging task in assessing the risks they are exposed to, as they have incomplete information about the number and the severity of vulnerabilities affecting their systems. As a matter of fact, current economic, regulatory and legal incentives are misaligned, distorted or ineffectual.
Exploit derivatives have the promise to provide a ﬁnancial instrument useful in establishing information symmetry between buyers and sellers, providing software manufacturers incentives to build security in, and hedging against information security risks.
This work introduce BeeWise, a ﬁrst testbed for a security-event futures exchange, where participants trade contracts whose payoffs are tied to future events in information security (eg., the discovery of a given software vulnerability). At the ﬁrst stage, BeeWise will be based on play-money and be aimed to help in balancing the information between buyers and sellers, setting the road towards a full-ﬂedged derivatives market.
The expectation is that in the presence of sufficient market liquidity and low transaction costs, the prices of the contracts will be an approximate measure of the probability of the underlying events at any time.