Governments urged to set up global bounty system to buy security vulnerabilities

Action needed, argues NSS Labs researcher

The criminal market for software vulnerabilities is now so sophisticated and dangerous that governments should consider setting up a global programme to purchase flaws before they fall into the wrong hands, a researcher has argued.

Last month Dr Stefan Frei of NSS Labs calculated that criminals probably had access to around 100 zero-day software flaws known only to them at any moment in time, which represented a huge security risk to organisations, governments and consumers alike.

In a follow-up report before Christmas Frei and co-author Francisco Artes suggested that the level of insecurity was now far beyond what could be mopped up by commercial software bounty programmes such as those run by Microsoft, Google, Yahoo or specialist firms such as HP TippingPoint.

Flaws could take months to discover and possibly years to patch across the world's population of PCs, leaving criminals free to exploit them more or less at will. With the uncosted economic and social toll rising and the industry no nearer producing secure software or accepting liability for its effects, the time had come for governments to resort to more drastic measures, Frei said.

Meanwhile a lucrative market has developed for flaws with security disclosures that depended on the efforts of a small population of security researchers, a worrying minority of whom were willing to sell flaws to the highest bidder, often criminals.

One solution would be a fully-fledged International Vulnerability Purchase Program (IVPP), which would seek to purchase serious flaws before criminals got hold of them.

The main advantage of this approach is that it could include software products not currently covered by bounty programs while also paying market rates high enough to encourage more security research as a whole.

Even paying above market rates - as high as $150,000 (£100,000) per flaw - "the cost of purchasing all vulnerabilities in a given year, and at competitive prices, is remarkably low compared to the losses that are estimated to occur as a result of cybercrime, or the economic output of major countries, or the revenue of the software industry for the same time period," wrote Frei.

If such a program had purchased every known flaw during 2012, he calculated that the bounty costs would still only represent only 0.3 percent of the revenue of the world software industry, about 0.01 percent of US GDP.

Put another way, the costs of paying for all those flaws would be dwarfed by the economic effects of the same flaws once they are wielded by criminals. The price offered for a specific flaw would depend to some extent on the financial damage it might cause, a number that would always in theory be higher than the profit criminals could make from the same vulnerability.

In essence, Frei is arguing for something that would once have seemed almost unthinkable and may still be anathema in some parts of the industry - government-directed intervention. Driven by innovation, the software free market has failed to deliver on security and nor could it because it does not have to pay for its own failures. These are borne by the customers and society as a whole.

Ironically, it's an interventionist idea that has occurred to governments too, including the ideological home of free-market solutions to just about any human problem, the US.

The mechanics of such a program would be complex but Frei has thought through some of the practical issues as well. Regional submission centres would be set up (probably using CERTs), before flaws were handed on to a central analysis department. The IVPP process would produce transparent public disclosure and documentation.

Frei doesn't, of course, explain how this would all be paid for, nor what account might be taken of the views of firms with a current commercial interest in selling exploits. And if the volume of exploits reaching the public domain increased, what effect would this have on the vendors themselves and the organisations and paying businesses with the job of patching them? Many struggle to apply the subset of flaws they get to hear about without having this workload multiplied severalfold.

As interesting as the idea sounds, it is more likely that some of the job proposed will be achieved simply by waiting for the vulnerable Windows PC ecosystem to wither. Mobile and web platforms will be subject to a growing volume of flaws in time too but probably not on the scale witnessed in the dark ages when Windows users were left to fend for themselves.

This at least is one hope. But for the forseeable future, the costs of poor coding security will continue to be borne by organisations and citizens and not software firms.

Join the CSO newsletter!

Error: Please check your email address.

Tags NSS LabsConfiguration / maintenanceYahooGoogleMicrosoftsecurityhardware systemsData CentreHP

More about GoogleHPMicrosoftTippingPointTippingPointYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts