This paper analyzes the grey market for cyber materials by evaluating the current nature of transactions within the market. This paper claims that vendors ought to be required to disclose information (to companies) on the vulnerabilities, exploits, and botnets that are sold. Analyses include:

a) Historical cases of weaponized cyber materials

b) Statistics on the costs associated with the grey market

c) Explanation of risks associated with unregulated grey market activity

Limitations to mandatory disclosure outlined in the paper include the:

a) Culture of anonymity within the market

b) Appeal of lucrative job prospects for hackers who rely on the secretiveness of the market

c) Perception of risks

Another overarching, key argument presented for non-regulation is the need for government agencies to preserve their access to tools of offensive warfare that are bought on the grey market.

In response to limitations, this paper finds that mandatory disclosure would, at minimum, allow software companies the opportunity to further pursue the protection of their systems and limit the risks of an unregulated market. This paper finds that enabling software companies best serves the interest of overall security and does not completely undermine the ability for government agencies to purchase offensive mechanisms.