### Rating (1--4): + 3: Weak Accept -- This paper may have flaws, but I would not argue against it at a major conference ### What did this paper do well? + Good time span 2010 - 2017 + Presenting some interesting knowledge regarding an exploit market + Presenting a good number of references to other papers - might as well be considered as a very good survey paper ### Where did this paper fall short? + Scope was limited to just RuMarket which does not focus on 0day exploits (the most devastating one) + "19 ads selling 35 exploits overall" is quite small for the time span of 7 years ?! + The market is quite small. Adding one or more markets (besides RuMarket) in different region (such as China) would be much much better ### What did you learn from reading this paper? + "A uniform distribution of costs among exploits in a package" + Some insights into an exploit market (RuMarket) such as distributions of exploit package types, pricing, etc. + Some keywords regarding exploit markets + Depending on attackers' goals, not all newly discovered vulnerabilities will be of their interests. ### What questions do you have about the paper or the area? + 3 Vendors per year - How fast this growth rate is when compared with other markets? + How many "buyers" are there in the market? Demands should be the main factor driving any market, shouldn't it? If so, how would registration criteria like 6-month participation in affiliated forum affect the rate of potential customers? + What are the chances of EKIT hacking as a service provider can be traced back from their users? (FBI agents "rent" the service and trace back to the provider) This could be a good question for law enforcements - one stone hits several birds. + What are the relationships between exploit markets and bug bounty markets?
