Researchers discover vulnerabilities all the time, but if they decide to sell the flaw to a highest bidder, there is no telling if that individual will use the information for good or bad.
To eliminate the potential for misuse – particularly with often critical zero-day vulnerabilities – information security research and advisory company NSS Labs has put forth an initiative imploring vendors to purchase information on bugs.
“It is time to examine the economics of depriving cyber criminals' access to new vulnerabilities through the systematic purchase of all vulnerabilities discovered at or above black market prices,” NSS Labs researchers Stefan Frei and Francisco Artes wrote in their report, “International Vulnerability Purchase Program.”
Frei and Artes discovered that the cost of purchasing all of a vendor's vulnerabilities ends up being miniscule when compared to the vendor's revenue in the same time frame. Additionally, the researchers discovered that the cost of purchasing those vulnerabilities is nominal when comparing it to the expected losses incurred as a result of crime.
“If all of the vulnerabilities for all products are purchased at USD $150,000 each, this still would amount to less than 0.01 percent of the yearly gross domestic product for either the US or the European Union,” Frei and Artes wrote. “The cost for major software vendors to purchase all of their vulnerabilities at USD $150,000 each is less than one percent of their revenue.”
Another benefit to the proposed program is that it will reduce the disclosure delay, Vikram Phatak, CEO of NSS Labs, told SCMagazine.com on Wednesday. He said it would reduce the return on investment for the attackers and will also create uncertainty in the market with regard to vulnerabilities that have already been exposed.
“There tends to be a lot of rediscovery of vulnerabilities,” Phatak said. “If we both discover a vulnerability, the path I take is the logical extension of a path someone else took.”
With an increasing reliance on technology only leading to an increased number of security flaws, NSS Labs recommends a structured vulnerability management program that includes more competitive bug bounty programs, better incentives for the creation of more secure software and greater communications and disclosure between researchers.
It is also recommended that software vendors invest in mechanisms for simple and automatic patching of their products.