Marketplaces for malware exist on the web and between individuals and many different types of transactions take place in these markets. There are essentially two overlapping markets for malicious software. The “defensive market” is home to software vendors and firms working to obtain software vulnerabilities in order to develop patches. The “offensive market” is home to states and criminal groups, actors purchasing components and services in order to compromise computer systems. There are many common goods between the two—vulnerabilities, for example, are simply information and can be rediscovered by many parties or traded at no marginal cost and provide value to vendors and attackers alike. The “defensive market” buys through different mechanisms, however, with greater transparency through competitions and even some publicly available bug bounty leaderboards. The “offensive market” resembles a more traditional illicit marketplace with highly opaque transactions and a larger role for intermediaries to manage uncertainty and reputation across participants.
Governments participate in these markets. As offensive actors, governments purchase everything from vulnerabilities to entire surveillance systems. Organizations like the FBI may find themselves unable to solve difficult technical problems, turning to companies to overcome challenges like a locked iPhone. Countries without the technical chops to build surveillance malware themselves, like Mexico, use the markets for malware to outsource jobs or development to a third party. The resulting tool could be expensive, in the order of millions of dollars, even if only useful for a short time. As defensive actors, governments encouraging security standards that make attacks more difficult and even driving disclosure of vulnerabilities with programs like Hack the Pentagon.Companies play a major role as well, both offensive and defensive. Software vendors produce software whose functionality is manipulated by attackers. Many of these same companies offer bug bounty programs, small cash payments in exchange for identifying flaws in their software, act as a form of competition to those looking for vulnerabilities for malicious purposes. Netscape, the company which would become Mozilla, was one of the first to offer such a program back in 1994 for the Netscape browser. Today, dozens of organizations have bounties programs including Google, Microsoft, and even Apple, while companies like BugCrowd and HackerOne offer to build and run bounty programs for other firms. Some of these vulnerabilities might otherwise flow to offensive actors, including companies like Zerodium. These brokers buy and sell to a variety of groups, including non-state actors and governments.