U.S. should outspend anyone on bug bounties, Black Hat conference told

If you throw enough money at a problem there’s bound to be a solution, some think. That’s the logic of security expert Dan Geer, who this week told the Black Hat conference in Las Vegas that the U.S. government should throw a heck of a lot of greenbacks at people who discover vulnerabilities.

How much? Ten times more than anyone else, he said in a keynote address.

Geer, chief information and security officer at In-Q-Tel, a not-for-profit venture capital company that invests in early stage companies making products aimed at U.S. intelligence agencies, maintained the U.S. should corner the market on vulnerabilities.

“Then we make them public and reduce to zero the inventory of cyber weapons that others have,” he was  Geer said. “I believe that exploitable software vulnerabilities are scarce enough that if we corner the market, we can make a difference.” including eSecurity Planet and

A number of companies have so-called bug bounty programs, including Microsoft and Google. Nor is Geer the first to say governments should open their wallets. In January, researchers at NSS Labs issued a report arguing that only drastic measures can bring cyber threats under control.

As a keynote speaker, Geer might have been merely trying to be provocative. On the other hand who could argue with his declaration that IT security weaknesses “are a riveting concern?” — especially this year with revelations spanning from the loss of data from Target, the Heartbleed-related theft from the Canada Revenue Agency  to this week’s report of a Russian gang that has a stash of some 1.2 billion pairs of passwords and usernames.

Here’s a few of his other suggestions:

–mandatory bug reporting. He didn’t say who would be the enforcer, governments or regulators, but the idea is that when an organization or vendor discovers a vulnerability it can’t be kept a secret;

–vendor liability for problems created by bugs. In a world of interoperability where products have to work with software and hardware from others this may be impossible, but Geer seems to believes with no one to blame vendors aren’t doing enough to prevent vulnerabilities;

–make abandoned software open source. When Microsoft ended support for Windows XP, vulnerabilities stopped being patched, yet millions of people are still running the OS. Support a product or give it to the public, Geer said.





Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web