INV-001
BeeWise
Software security's futures, plural: a prediction market as a security-metric instrument
A Pwnshow Investigation · 2010–2014 · Status: completed · Programs: Investigations

1. The question
Security stakeholders cannot price the risk they carry, because they have incomplete information about the vulnerabilities in their systems and no forward-looking measure of them. INV-001 asks whether a market can supply what engineering cannot: a predictive, self-updating signal of software insecurity, and — in the same instrument — a way to realign the incentives that produce insecurity in the first place. It is the headwater of the series’ economic line of inquiry, the first attempt to treat vulnerability as a tradable, priceable object rather than only a technical defect. The question it opened — can markets build a quality signal into security? — is the one INV-003 later turns toward the strategic dynamics of the zero-day transaction, and INV-007 toward the governance of capability markets.
2. Method note
Movements. Conceive the process; execute to the standard of a working system; translate across registers. The conceived process was to reframe exploit derivatives — binary-option contracts paying out on security events — as an event-futures (prediction) market, thereby sidestepping the bootstrapping problems that had kept derivatives theoretical, and to build it as a running platform rather than a proposal.
Instruments. A prediction-market design settled in play money (“Bee dollars”); two market types (binary markets paying on the occurrence of a defined event; index-based markets paying a function of an underlying index); contract naming and settlement anchored to the NIST National Vulnerability Database and CVSS; and derived metrics computed across contracts — the price spread between related contracts as a measure of relative security, and the joint probability of failure across a pair as a measure of defense-in-depth. The economic grounding was explicit: Akerlof’s market for lemons and the tragedy of the commons (via Ross Anderson) to diagnose the failure, and the Hayek hypothesis — that dispersed asymmetric information is best aggregated through a price mechanism — to justify the cure.
Exclusions and boundaries. BeeWise was deliberately stage one of a three-stage programme: prove the concept in play money first, then move to fiat, then approach exchange-traded derivatives that would reproduce the same dynamics with real contracts. Only the play-money stage was realised. The platform was a beta and did not reach the liquidity or the heterogeneous user base a working prediction market requires — stated here plainly, because the boundary of what was achieved is part of the record.
3. Findings
- Software insecurity is a market failure, not merely a technical defect. On the supply side the market for lemons predicts vendors under-supply security; on the demand side the tragedy of the commons predicts users under-demand it. The defining property of a market failure is the inability to self-correct — which is why purely technical remedies do not close the gap.
- There are two non-exclusive correctives: regulation or new markets. Either raise the private cost of insecurity through liability models, or build markets with feedback mechanisms that rebalance information between buyers and sellers. BeeWise pursues the second.
- Market prices are forward-looking security metrics. Unlike metrics deduced from scarce historical incident data, prices encode participants’ expectations about the future; the observation of economic agents’ decisions yields operable, predictive indicators of security properties — a metric for security in the absence of incidents, not merely a post-hoc indicator of insecurity.
- An ideal vulnerability market must serve three-plus-one functions — information, incentive, risk-balancing, and (orthogonally) efficiency — and the existing proposals each fail at least one: bug challenges and auctions cannot do risk-balancing and yield only a lower bound on price; brokers do not reliably disclose; cyber-insurance and exploit derivatives are the most promising, the latter giving the timeliest indicator.
- Exploit derivatives can be bootstrapped as a play-money prediction market. Since controlled experiments found play-money markets about as accurate as real-money betting markets for information aggregation, framing derivatives as a prediction market relaxes the hard-currency and trusted-settlement obstacles at the outset — which is the specific move BeeWise makes.
4. Consequence
First of its kind. BeeWise was the first prediction market for forecasting security events and trends — the earliest attempt to operationalise vulnerability-as-tradable-signal in a running platform.
Programme seeded. The investigation opened the vulnerability-markets line that the series still runs on: its incentive-and-signal framing is the acknowledged predecessor of INV-003’s game-theoretic analysis of the zero-day transaction, and stands further upstream of INV-007’s work on capability-market governance.
Discourse. Carried across three venues under the banner Software Security’s Futures — Plural: MiniMetricon 5.5 (San Francisco, February 2011), RSA Conference Europe (London, October 2011), and an invited talk at IFIP TM’s “Security by Design: From Theory to Practice” (Málaga, June 2013). The “futures plural” framing — that software security has not one future but many, and that we inhabit the one we choose — is the rhetorical seed of the agency’s later insistence that foreseeable failures are chosen, not fated.
Honest boundary: the programme did not advance beyond its play-money stage; the fiat and exchange-traded-derivative stages were never reached, and the platform is now offline. INV-001 is recorded as the origin of a continuing inquiry, not as a market that cleared.
5. Artefact record
| # | Artefact | Type | Venue / identifier | Date | Access |
|---|---|---|---|---|---|
| 1 | BeeWise: A Futures Market for Fostering Security by Design — delivery draft (informal paper) | paper (informal) | IFIP TM 2013, Málaga | Jun 2013 | paper |
| 2 | BeeWise / IFIP TM — speaker’s notes | notes | IFIP TM 2013, Málaga | Jun 2013 | notes |
| 3 | Software Security’s Futures Plural — speaker’s notes | notes | MiniMetricon 5.5, San Francisco | Feb 2011 | notes |
| 4 | Software Security’s Futures Plural — slide deck | slides | MiniMetricon 5.5 (built in Prezi) | Feb 2011 | slides |
| 5 | BeeWise: A Futures Market for Fostering Security by Design — slide deck | slides | IFIP TM 2013 (built in Prezi) | Jun 2013 | slides |
| 6 | Software Security’s Futures Plural | talk | RSA Conference Europe, London | Oct 2011 | slides |
| 7 | BeeWise — prediction-market platform (beta) | code / platform | beewise.com | 2010–2014 | Offline; domain now shows a landing page. screenshot |
6. Continuity
Inherits: —. This is the origin of the economic line of the series. (Chronologically it is preceded only by INV-000’s work on cryptographic fault attacks, which belongs to a separate, technical lineage.) Feeds: INV-003, which turns the incentive-and-signal question into a strategic analysis of the zero-day transaction, and — further downstream — INV-007’s analysis of capability-market governance.
7. What’s next
—
8. Provenance
Provenance. This investigation was produced without external funding. It documents BeeWise, the author’s own venture of the period, now closed; BeeWise is not a current Related Entity and holds no ongoing commercial interest that its findings could serve. The findings are economic and design results drawn from public and academic sources together with the author’s general expertise, and contain no non-public commercial information.
This entry documents research predating this Policy; it is a historical record. Added 2026/07/08 under Policy v1.0.
Page last updated: 2026/07/08 · Part of the Pwnshow investigation series
← Investigations index