The first rule of zero-days is no one talks about zero-days (so we’ll explain)
How do you defend yourself against the unknown? That is crux of the zero-day vulnerability: a software vulnerability that, by definition, is unknown by the user of the software and often its developer as well.
Everything about the zero-day market, from research and discovery through disclosure and active exploitation, is predicated upon this fear of the unknown—a fear that has been amplified and distorted by the media. Is the world really at threat of destabilisation due to lone-wolf hackers digging up vulnerabilities in popular software packages and selling them to whichever repressive government offers the most money? Or is it just a classic case of the media and megacorp lobbyists focusing on the sexy, scary, offensive side of things, and glossing over the less alluring aspects?
And then what about legislation and regulation of zero-days? In most countries, there are scant legal mechanisms for discouraging or punishing the discovery of new zero-days. There are even fewer laws and directives dictating how zero-days should be responsibly disclosed. It isn’t that lawmakers aren’t aware of these problems, it’s just that there isn’t an easy solution. How do you craft a law that allows some research groups to keep on digging for vulnerabilities while at the same time blocking the black hats? What if the government’s idea of “responsible disclosure” means disclosing all vulnerabilities to GCHQ or the NSA?