Pay millions for people to find bugs, argue security researchers

There’s no shortage of people who complain about government spending. As the saying goes, the only thing that’s constant in the world is death and taxes.

So I wonder what the world will think of a suggestion from security researchers that governments should chip in and buy all of the IT vulnerabilities people can find in software. The money wouldn’t go to malware makers, but those who fund bugs.

“It is time to examine the economics of depriving cyber criminals’ access to new vulnerabilities through the systematic purchase of all vulnerabilities discovered at or above black market prices,” write Stefan Frei and Francisco Artes of NSS Labs.

Now before you choke on your code, here’s their argument: Worldwide financial losses due to cyber crime are estimated in the billions of dollars a year and unless something drastic is done its only going to get worse.

Software makers have yet to produce secure software, they argue, “and since they do not bear the costs and consequences of the vulnerabilities within their products there’s little to indicate they ever will.”

The cost of buying all of the vulnerabilities of a given software vendor is minimal compared to that vendor’s revenue for the same period of time, the authors argue. Similarly, they say, the cost of buying all of the vulnerabilities out there would be nothing compared to the overall reduction in losses from cybercrime.

For time being, software vendors should run bug bounty programs – Microsoft has one – with competitive rewards for vulnerabilities found. But in the long run governments have to think about creating an international vulnerability purchase program. They should also create financial incentives for developers to create more secure software.

Here’s their numbers: If all vulnerabilities published in 2012 – an estimated 5,218 – were purchased for US$150,000 each, it would total US$783 million. That’s less than 0.01 per cent of the yearly gross domestic product of the United States.

If only the 3,332 vulnerabilities from the top 100 vendors were purchased, it would total US$500 million. By comparison, the report says, the cost of cyber crime is estimated in the tens of billions a year.

So, the authors argue, an international program would be worth it even if it lowers the cost of cyber crime by 10 per cent.

Read the report here and let me know what you think

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now