Good guys should compete with criminals in buying zero-day vulnerabilities, report says

An effective way to significantly improve software security is to compete head-to-head with the black market for previously unknown vulnerabilities, a security research company says.

In an analysis released Tuesday, NSS Labs recommended the formation of an international vulnerability purchase program (IVPP) that would pay competitive prices for so-called zero-day vulnerabilities sold to brokers, subscription services and hackers.

From 60 percent to 80 percent of the vulnerabilities today are reported to software vendors for free by security experts more interested in protecting users than profiting off the flaws, NSS says. The remaining vulnerabilities are purchased by vendors or end up on the black market, where cybercriminals can easily buy them.

By having a centralized vulnerability purchasing program, "we would get lots of researchers to investigate vulnerabilities," Stefan Frei, NSS Labs research director and co-author of the report, said. In addition, a clear message would be sent to software vendors that when they ship a product, "it would be thoroughly scrutinized from day one."

A "conservative estimate" of the reduction in losses to cybercrime through a competitive bounty program is 10 percent, according to NSS Labs, which is in the business of testing security products for corporate subscribers. The reduction would be worth far more than the cost, given that cybercrime and cyber espionage result in hundreds of billions of dollars in losses each year globally.

If all vulnerabilities for products were bought for $150,000 each, the total would amount to less than 0.01 percent of the yearly domestic gross product for either the U.S. or the European Union, according to NSS Labs. If major software vendors paid an equal amount for each vulnerability discovered in their products, the cost would amount to less 1 percent of revenue.

Therefore, an IVPP is "an economically sound proposal to reduce losses that occur as a result of cybercrime," the report said.

"By offering competitive prices, we can really compete and drive many cybercriminals out," Frei said.

The need for an industry and government effort to reduce software vulnerabilities is clear. Among nine major vendors, only Microsoft published fewer vulnerabilities than its average over the last 10 or five years, according to NSS. The other vendors included Adobe, Apple, Cisco, Google, Hewlett-Packard, IBM, Mozilla and Oracle.

An IVPP would be responsible for paying competitive prices for zero-day vulnerabilities, getting the information to the appropriate vendor, so a patch can be released, and publishing all information on the vulnerability. The organization could be run by universities, the security industry or Community Emergency Response Teams (CERTS).

Governments could finance the IVPP through a tax on software, products or services, the report said. The software industry could also chose to start the program on its own to keep it within the private sector.

Whether anything is done, a global bug bounty program already exists, "it's just run by the black hats," Frei said.

In a report released earlier this month, NSS Labs found that subscribers to two separate vulnerability programs, one run by Hewlett-Packard the other owned by VeriSign, had access on any given day to at least 58 exploitable flaws in Microsoft, Apple, Oracle or Adobe products. Both organizations buy vulnerabilities from researchers and work with vendors in releasing patches.

Despite the number of flaws purchased by the services, many more secret vulnerabilities are available to cybercriminals and government agencies willing to pay more to launch cyberattacks or cyber espionage campaigns.

Brokers and exploit clearinghouses VUPEN Security, ReVuln, Endgame Systems, Exodus Intelligence and Netragard can collectively provide at least 100 exploits per year to subscribers, the report found.

Join the CSO newsletter!

Error: Please check your email address.

Tags NSS Labssecurity

More about Adobe SystemsAppleCiscoExodusGoogleHewlett-Packard AustraliaIBM AustraliaMicrosoftMozillaOracleVeriSign Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place