What if… the world actually cooperated to detect and patch zero-day vulnerabilities – and made us all safer in the process?
Saving the World One Zero-day Vulnerability at a Time
2019 and 2020 were bruising years – damaging and destabilising cyberattacks, many exploiting zero-day vulnerabilities, became the norm. Despite endless multilateral meetings designed to build confidence, states were no closer to agreeing to norms of behaviour regarding the reporting, stockpiling or use of zero-day flaws. For all the talk, the result was simply a vicious circle: mistrust, leading to more finger pointing; bad outcomes for end users, leading to increased mistrust; and so on.
The key to de-escalation came from an unlikely quarter. In February 2021, an unidentified group created a highly-distributed mesh of cryptographically-secured repositories, collectively called BlackBox. They uploaded hundreds of .txt files describing zero-day vulnerabilities. They emailed the CTOs or CIOs of the software and hardware companies concerned – with credentials to access one specific vulnerability – as an indication of BlackBox's credibility. The only catch: each company would only get more information as it demonstrated further action in good faith. Disclose your tally of known, unfixed flaws, and you'd get the tally of how many BlackBox had; publish one patch, and you'd get a key to the next one; upload one of your own unfixed flaws, and you'd get a two-for-one deal; and so on. BlackBox's rationale was that bug bounties alone had never been enough to make the ecosystem healthier as a whole.
At first, few responded, presuming either a phishing scam or a precursor to blackmail. But no ransom demand arrived and slowly, incrementally, back channels between researchers who’d done graduate work together built trust in the bona fides of the operation. Word also spread through the tight-knit state-security community, who saw – among the published fixes and patches – both zero-days that they had thought only they knew about, and zero-days they hadn't even found themselves. Soon, those in the loop, including major global businesses and state agencies, weren’t just pulling down information about their own vulnerabilities, but offering up information as well.
Academics saw that if they reported zero-days to BlackBox the resulting fixes came out faster, giving them a quick and safe route to publication of their work. Within a year, a number of governments relaxed their policies on prosecution of hacking for research, on the understanding BlackBox would be used as a “clearing house”. The BlackBox group responded by layering a cryptocurrency onto their mesh architecture, as a bounty mechanism for third-party contributions and a “proof of first report”. Within two years the world had benefited from fewer breaches and a 70% drop in cyberattacks.
This story shows us how the Internet might evolve. But the path we take is up to us.