Governments should help pay people a bounty to find software vulnerabilities. Read why it might work
There’s no shortage of people who complain about government spending. As the saying goes, the only thing that’s constant in the world is death and taxes.
So I wonder what the world will think of a suggestion from security researchers that governments should chip in and buy all of the IT vulnerabilities people can find in software. The money wouldn’t go to malware makers, but those who fund bugs.
“It is time to examine the economics of depriving cyber criminals’ access to new vulnerabilities through the systematic purchase of all vulnerabilities discovered at or above black market prices,” write Stefan Frei and Francisco Artes of NSS Labs.
Now before you choke on your code, here’s their argument: Worldwide financial losses due to cyber crime are estimated in the billions of dollars a year and unless something drastic is done its only going to get worse.
Software makers have yet to produce secure software, they argue, “and since they do not bear the costs and consequences of the vulnerabilities within their products there’s little to indicate they ever will.”
The cost of buying all of the vulnerabilities of a given software vendor is minimal compared to that vendor’s revenue for the same period of time, the authors argue. Similarly, they say, the cost of buying all of the vulnerabilities out there would be nothing compared to the overall reduction in losses from cybercrime.
For time being, software vendors should run bug bounty programs – Microsoft has one – with competitive rewards for vulnerabilities found. But in the long run governments have to think about creating an international vulnerability purchase program. They should also create financial incentives for developers to create more secure software.
Here’s their numbers: If all vulnerabilities published in 2012 – an estimated 5,218 – were purchased for US$150,000 each, it would total US$783 million. That’s less than 0.01 per cent of the yearly gross domestic product of the United States.
If only the 3,332 vulnerabilities from the top 100 vendors were purchased, it would total US$500 million. By comparison, the report says, the cost of cyber crime is estimated in the tens of billions a year.
So, the authors argue, an international program would be worth it even if it lowers the cost of cyber crime by 10 per cent.