← Investigations

INV-003

The Bazaar, the Maharajah's Ultimatum, and the Shadow of the Future

Extortion and cooperation in the zero-day market, read through game theory

A Pwnshow Investigation · 2015 · Status: completed · Programs: Investigations

The Bazaar, the Maharajah's Ultimatum, and the Shadow of the Future — cover

1. The question

The market for zero-day vulnerabilities is secretive, unregulated, and structurally hostile to the people trading in it: the commodity is a wasting asset, prices are opaque, intellectual property cannot be shown without risking its theft, and contracts cannot be enforced across anonymous, international counterparties. INV-003 asks whether cooperation can nonetheless emerge in such a market — with no trusted third parties, and even under anonymity — and, conversely, under what conditions one party can systematically extort the other. It treats a market that is usually described in anecdotes as a formal object: a repeated game with specific payoffs, whose equilibria can be reasoned about rather than merely reported.

2. Method note

Movements. Conceive the adversarial process; match it to a researched subject; translate across registers. The conceived process was to model the zero-day transaction as an original game — the 0-Day Dilemma — and then import the mature body of results on repeated games, zero-determinant strategies, and experimental economics to derive predictions about when cooperation holds and when extortion becomes available.

Instruments. A custom stage game (the 0-Day Dilemma) generalising the Prisoner’s Dilemma to capture the seller’s retaliation options — accept the loss (Submissive), resell the same IP (Adaptive), or publicly disclose it to destroy its value (MAD, a deliberate analogue of mutually assured destruction); its iterated form; the Press–Dyson theory of zero-determinant strategies; the Ultimatum Game; and the Camera–Casari experimental findings on cooperation among strangers under the shadow of the future. Three market structures were analysed: onymous, fully anonymous, and semi-anonymous.

Exclusions. The work is explicitly theoretical, and says so: its recommendations are derived, not yet experimentally verified, and the paper closes by calling for that verification. No transaction data or counterparties are named beyond those already public in the Hacking Team leak, which is used only as an illustrative case of the semi-anonymous setting.

3. Findings

  1. Cooperation does not require trusted third parties. In the onymous, indefinitely repeated market, rational players can sustain cooperation — a classical result, but one with direct force here: escrow and reputation intermediaries are not strictly necessary for the market to function.
  2. Punishment is the mechanism that sustains it. The seller who moves first can still deter a defecting buyer by retaining the ability to retaliate — by reselling (Adaptive) or by disclosing (MAD). In the one-shot game, cooperation is possible precisely when the seller moves first and holds a credible punishment.
  3. Full disclosure is brinkmanship, not bragging. Public disclosure re-enters the analysis as a rational instrument: by collapsing the temptation payoff toward the punishment payoff, a credible threat to disclose removes the buyer’s incentive to defect. This reframes an old community ritual as modern-day deterrence — and implies demand for an OPSEC-preserving disclosure channel.
  4. Anonymity does not preclude cooperation, but semi-anonymity invites extortion. Cooperation can emerge even among strangers; but where exactly one party is anonymous, the onymous counterpart is forced to play as a memoryless “evolutionary” agent, and an anonymous player who understands zero-determinant strategies can extort them systematically. The analysis vindicates, formally, the instinct of the Hacking Team COO who refused to deal with an anonymous seller.
  5. A concrete strategy set follows for traders, differentiated by market structure: don’t deal with anonymous counterparties unless you can guarantee your own anonymity; cast the shadow of the future over every decision; retaliate to promote cooperation; let the seller supply first in one-time deals; learn zero-determinant strategies in onymous markets; and default to grim-trigger defection where you can neither identify nor punish an opponent.

4. Consequence

Founding. This analysis was the intellectual groundwork for Zeronomicon, the vulnerability-acquisition platform founded at the end of 2015, immediately after this conference cycle. The relationship between this investigation and that company is disclosed in full in §8, and governed by the agency’s Independence Policy.

Recognition. Darren Pauli covered the AusCERT delivery for The Register (June 2015), reporting the counter-intuitive central thesis — that in the exploit business, full disclosure functions as a seller’s best defence against buyer defection.

Discourse. Delivered across four venues on three continents in a single 2015 cycle — CODE BLUE (Tokyo), HITB GSEC (Singapore), PHDays V (Moscow), and AusCERT (Gold Coast) — the investigation introduced a formal vocabulary (the 0-Day Dilemma; the Submissive/Adaptive/MAD retaliation triad) into a domain that had been discussed almost entirely anecdotally.

5. Artefact record

#ArtefactTypeVenue / identifierDateAccess
1The Bazaar, the Maharajah’s Ultimatum, and the Shadow of the Future: Extortion and Cooperation in the Zero-day Market — delivery draft (informal paper)paper (informal)CODE BLUE 2015, TokyoOct 2015paper
2The Bazaar, the Maharajah’s Ultimatum, and the Shadow of the Future — slide deck / ebookslidesAusCERT 2015, Gold CoastJun 2015slides
3Talk — AusCERT 2015talkAusCERT, Gold Coast, AustraliaJun 2015
4Talk — PHDays VtalkPHDays V, MoscowMay 2015
5Talk — CODE BLUE 2015talkCODE BLUE, TokyoOct 2015recording
6Talk — HITB GSEC 2015talkHITB GSEC, Singapore2015recording
7”In the exploit biz, full disclosure is your best friend, boffin says” — press coveragepressThe Register (Darren Pauli)Jun 2015press

The four talks share essentially one delivery draft and one deck; artefacts 1 and 2 are therefore the canonical record, and the talk rows point to venue-specific recordings where they exist.

6. Continuity

Inherits: the incentive-alignment programme of INV-001 (BeeWise; the prediction market as an attempt to build a quality signal into the security market) — INV-003 turns the same economic lens from pricing security to the strategic dynamics of the transaction itself. Feeds: the operational understanding of capability markets that informs INV-007’s policy analysis, the zero-day market analysis that informs the code of ethics for the acquisition and trade of cybersecurity capabilities INV-004, and — outside the investigation series — the founding of Zeronomicon (§4, §8).

7. What’s next

8. Provenance

*Provenance. This investigation was produced without external funding. It bears the most direct connection to a Related Entity of any work in the Pwnshow series: its analysis was the intellectual groundwork for Zeronomicon, the vulnerability-acquisition platform founded and directed by the author at the end of 2015, after this research was completed. The findings are theoretical results in game theory, drawn entirely from public and academic sources together with the author’s general expertise; they were published openly in 2015 and contain no non-public commercial information. The relationship is disclosed here because the intellectual lineage is real and material to how this investigation should be read — not because the findings confer any commercial advantage, since they were public then and remain so. This entry documents research predating both Zeronomicon and this Policy; it is a historical record, not a new Policy-Facing output, and §4.5 review does not apply. Added 2026/07/08 under Policy v1.0.

Page last updated: 2026/07/08 · Part of the Pwnshow investigation series

← Investigations index

Let's outplay.

Pwnshow (formerly secYOUre) · Rome, Italy · Investigating vulnerability since 2010. © 2026 Pwnshow