Go to page content

Plaintext
Information that makes security stakeholders better off

Article — by Alfonso De Gregorio, 31 January 2011

BeeWise Launches the Beta With Six New Markets

The first security event futures exchange launches with the promise to help security stakeholders to make better and more informed decisions.

On behalf of the BeeWise team, I'm thrilled to announce the launch our website and the upcoming start of beta program.

BeeWise is a testbed for a security-event futures exchange. Participants - yes, you can do it too! - trade contracts whose payoffs are tied to future events in information security, such as the discovery of a given software vulnerability or the diffusion of new malware. With a large enough number of people betting on the outcome of selected events, the prices of the contracts will be an approximate measure of the probability of the underlying events at any time.

The ability to use market prices as forward-looking indicators of security properties will help in establishing information symmetry between buyers and sellers (ie., build a quality signal), and help security stakeholders to make better and more informed decisions, by telling mediocre security products from good ones.

Six new markets have been added and are awaiting the opening. In the next days, selected users will be invited to start trading for fun. Markets will open, the 14th February with the presentation at Mini Metricon.

The beta program will start focusing the market activities on six key software products, that have become increasingly critical components in the operations of our infrastructures, cutting across almost every aspect of  global, national, social, and economic function. They are:

  • Microsoft .NET Framework;
  • GNU Lib C;
  • Microsoft Windows 7;
  • Apple Mac OS X;
  • Linux Kernel 2.6.x;
  • OpenBSD IPSEC Stack.

They have been selected according to a number of criteria, including:

  • The potential impact of vulnerabilities on their stakeholders;
  • Their typology (eg., libraries and TCB, operating systems, enterprise software);
  • The degree of scrutinity received so far;
  • Their popularity;
  • The expected maturity of the code base, and;
  • Statistics about the vulnerabilities that affected each so far.

All markets requires the associated vulnerability to have been acknowledged by the vendor, or confirmed from an external event such as the publication of functional or proof-of-concept exploit code or widespread exploitation by the market closing date.

The market settlement will happen after the outcome is validated. The validation requires the CVE candidates assigned to the vulnerability to be profiled by the NIST National Vulnerability Database (NVD), no later than closing date.

The vulnerabilities underlying these first six markets range from those requiring specialized access conditions - this is the case of the market for the GNU Lib C or .NET Framework 4.x -, to vulnerabilities impacting the availability - markets for Apple Mac OS X or Linux Kernel 2.6.x -, to security issues  exploitable with network access - market for Windows 7.

A special mention is deserved by the market about the allegations about an FBI-planted back door in the OpenBSD IPSEC Stack:

There are allegations about an FBI-planted back door in the OpenBSD IPSEC stack.

The contract pays $100 BEE dollars to the holder, if the allegations will be confirmed (RC:C), by March 31 2011 (3.11). The contract is related to vulnerabilities:
- not requiring the attacker to authenticate in order to exploit them (Au:N), and 
- partial or complete impact on confidentiality (C:P,C), and
- acknowledged by the vendor or software authors, or confirmed from an external event such as the publication of functional or proof-of-concept exploit code, or widespread exploitation.

NB: The BeeWise Code is built according to the abbreviated metrics name defined by CVSS - Common Vulnerability Scoring System.

If you have comments or concerns about these first six markets, feel free to reach us by the end of the grace period.

For more, join my presentation in San Francisco at Mini Metricon 5.5 on 14th February, visit BeeWise markets, and join our beta.

Are you ready? BeeWise, Value Your Wisdom!