Vulnerability lifecycles and the vulnerability markets are related in a manner that can lead to serious security and economic risks, especially regarding black markets. The subject of software security has emerged as a primary concern and has once again been raised by individuals and government agencies in terms of risks of violations regarding information security, cybersecurity, and the consequences for the economy, especially in relation to attacks from actors with special agendas. Therefore, software vulnerabilities have major effects on the developmental paths of technology, development, and investment.
A vulnerability is established when a code or specification error occurs. Therefore, the possible vulnerability lifecycle has many phases including discovery, disclosure, patching, and exploitation. These phases have several impacts, particularly discovery and exploitation, that could be critical phases for determining the degree of risk involved. Potential vulnerability exploitations will have a major economic impact on the software industry, including software vendors and end users (i.e., individuals and organizations). A data security breach can cause a loss of confidentiality, including leaks to groups deemed dangerous to society, leading to direct and indirect cost losses 
There is a relationship between the number of code development changes in such software, resulting from software development methods and the probability of discovering software vulnerabilities that can lead to changes in the software security 
. Therefore, vulnerability disclosure policies that release patches for those discovered vulnerabilities are key to reducing the impact on security and the economy, especially if the disclosure is made by reliable agencies, since it has a direct effect on the vendor patch time 
. If the vulnerabilities are not patched by the software vendor, zero-day exploits will have been identified, and the related security risks of vulnerability exploitation and disclosure will have increased 
. Some studies have been conducted on the vulnerability lifecycle and the major players in a security ecosystem involving discovery motivations, along with search tools, vulnerability markets, criminals, vendors, security information providers (SIPs), and the public, based on thousands of publicly disclosed vulnerabilities 
Financial rewards are often the primary motivation for discoverers looking to detect vulnerabilities, and are frequently the reason for attacking people and organizations. Therefore, the discovery phase is becoming the main phase to focus on, since it has the most impact on vulnerability markets. Private organizations, and even several governments, now participate in vulnerability markets where vulnerabilities are traded. Vulnerability markets have expanded to include legitimate, grey, and black markets 
. Legitimate markets are encouraged by creating vulnerability rewards programs (or bug bounty programs), especially in the investigation of crowdsourcing vulnerability discovery events 
and the protection of smart cities and e-governments that use the Internet of Things (IoT) against any potential security attacks 
by investigating alternative economic solutions, encompassing everything from incentive systems to market-based solutions 
. The average cost of running these reward programs for a year is currently less than the cost of recruiting two additional software engineers 
. In addition, vulnerability rewards programs reduce the risks associated with using different types of markets, such as black markets, where discoverers can maximize their incentives and the main customers intend to use these vulnerabilities to attack specific targets for money. From this perspective, encouraging the establishment of many reward programs will minimize black transactions and their implications, and these programs can play a great role in supporting cybersecurity 
. Based on this idea, searching for new, effective, and worthy vulnerability rewards based on a modern economics model should fill the gap between these types of markets 
Many studies illustrate that each phase of the vulnerability lifecycle is likely to have a correlation with some types of vulnerability markets, and that this can produce some risks to economics and security. For example, Munaiah and Meneely 
demonstrated, using empirical analysis, the weak relationship between the Common Vulnerability Scoring System (CVSS) and reward incentives based on 703 vulnerabilities across 24 products. However, Burkart and McCourt 
and Allodi 
conducted a study on the economics of vulnerability exploitation based on data collected from a cybercrime market. They found strong evidence of a correlation between vulnerability market activities and the probability of exploitation, which led to varying exploitation prices.
Other studies have strongly focused on the response of vendors’ patching behaviour with regard to the impact of vulnerability disclosure threats and the presence of competitors 
. Anderson et al. proposed 15 policies that tackle issues related to information security and that affect the security economics of the European Union 
. In addition, they encourage internet service providers (ISPs) to take serious steps in terms of cleaning infected devices and taking care of all information or databases that contain cybersecurity incidents as well as breaches that hugely impact economics 
. Even the reporting of software vulnerabilities in products can adversely affect the software vendors’ market value 
2. Vulnerability Lifecycle Phases
The vulnerability lifecycle model 
shows how a vulnerability evolves over time. The lifecycle of a vulnerability is divided into phases based on distinctive points in time, where each of them indicates a state and an associated risk 
. Thus, the term vulnerability lifecycle denotes a fixed and linear progression from one phase to the next in order to comprehend vulnerability behavior. The following have been addressed as possible states of vulnerability:
Birth: this refers to the occurrence of a software defect or flaw.
Discovery: the vulnerability in the software product is discovered. The vulnerability discoverers can be either black hats or white hats.
Disclosure: the discoverers have the option of exposing the details of the vulnerability to the developer or to the general public.
Correction (patching): the vulnerability is fixed by releasing a software modification through software vendors or developers.
Publicity: a vulnerability can be made public in different ways.
Scripting (exploitation): anyone with moderate skills can successfully exploit a new vulnerability.
Death: this state occurs when the vulnerability has been patched or the attackers have lost interest.
Vulnerability lifecycle discussion can aid the development, deployment, and maintenance of software systems, as well as the formulation of future security rules and the auditing of previous incidents. As a result, security concerns regarding different software products from various vendors can be assessed 
The sequence states of exploitation, disclosure, and patching are not always fixed 
as sometimes the exploitation and patching can occur at a time that is earlier than, at the same time as, or after the disclosure state.
3. Vulnerability Market Types
Depending on the motivation of vulnerability discoverers, different types of vulnerability markets emerge. Algarni and Malaiya 
studied discoverers’ motivations and described current vulnerability markets where sellers (discoverers) and buyers (consumers) trade vulnerability.
In general, vulnerability markets are divided into legitimate (including regulated and unregulated markets) and illegitimate markets. A brief description of these is provided below.
3.1. Regulated Vulnerability Markets
These are controlled by conventions and laws to prevent any non-suitable actions against society as a whole. These types of market include the following:
Publicity: the discoverer submits the vulnerability to an authority, such as software developers. money or a reward is not the main motivation for the discoverers. They always focus on building their reputations as capable researchers.
Captive market: the discoverers belong to organizations. Thus, they are not allowed to reveal the discovered vulnerabilities externally.
Vulnerability rewards from vendors: the discoverers can sell their findings directly to software vendors through some current rewards programs. These programs provide a good and legitimate option for discoverers to obtain rewards as opposed to resorting to other illegitimate alternatives.
Rewards by security service companies: these companies discover a vulnerability for two main reasons: to provide a high level of security for their subscribed customers or to sell the vulnerability to software developers only.
3.2. Vulnerability Gray Markets (Brokers)
These are considered a legitimate market but are partially regulated by some general rules. A broker may sell a vulnerability to software developers or to some government agencies depending on who can pay more.
3.3. Online Forums
These online places are classified as an illegitimate market because the main objective of these forums is to exchange vulnerability information and exploit hacktivists, who plan to attack specific organizations globally, achieve a special agenda, or send specific messages, such as when the LulzSec group attacked several global websites in 2011. Thus, money is generally not the main goal in these cases.
3.4. Vulnerability Black Markets
These are not regulated and are therefore illegitimate markets because they are not controlled by any rules or laws. Thus, any unknown groups or organizations can buy zero-day vulnerabilities that might harm targeted organizations in several countries. Many black markets or forums exist solely to facilitate underground transactions for the exchange of malware, information theft, and other services 
. Therefore, the vulnerability price paid to discoverers is much higher than in other vulnerability markets, and this will encourage them to sell their vulnerabilities in these black markets, which is the main risk source.