Good Guys Should Compete with Criminals in Buying Zero-Day Vulnerabilities, Report Says
An effective way to significantly improve software security is to compete head-to-head with the black market for previously unknown vulnerabilities, a security research company says.
Wed, December 18, 2013
CSO — An effective way to significantly improve software security is to compete head-to-head with the black market for previously unknown vulnerabilities, a security research company says.
In an analysis released Tuesday, NSS Labs recommended the formation of an international vulnerability purchase program (IVPP) that would pay competitive prices for so-called zero-day vulnerabilities sold to brokers, subscription services and hackers.
From 60 percent to 80 percent of the vulnerabilities today are reported to software vendors for free by security experts more interested in protecting users than profiting off the flaws, NSS says. The remaining vulnerabilities are purchased by vendors or end up on the black market, where cybercriminals can easily buy them.
By having a centralized vulnerability purchasing program, "we would get lots of researchers to investigate vulnerabilities," Stefan Frei, NSS Labs research director and co-author of the report, said. In addition, a clear message would be sent to software vendors that when they ship a product, "it would be thoroughly scrutinized from day one."
A "conservative estimate" of the reduction in losses to cybercrime through a competitive bounty program is 10 percent, according to NSS Labs, which is in the business of testing security products for corporate subscribers. The reduction would be worth far more than the cost, given that cybercrime and cyber espionage result in hundreds of billions of dollars in losses each year globally.
If all vulnerabilities for products were bought for $150,000 each, the total would amount to less than 0.01 percent of the yearly domestic gross product for either the U.S. or the European Union, according to NSS Labs. If major software vendors paid an equal amount for each vulnerability discovered in their products, the cost would amount to less 1 percent of revenue.
Therefore, an IVPP is "an economically sound proposal to reduce losses that occur as a result of cybercrime," the report said.
"By offering competitive prices, we can really compete and drive many cybercriminals out," Frei said.
The need for an industry and government effort to reduce software vulnerabilities is clear. Among nine major vendors, only Microsoft published fewer vulnerabilities than its average over the last 10 or five years, according to NSS. The other vendors included Adobe, Apple, Cisco, Google, Hewlett-Packard, IBM, Mozilla and Oracle.
An IVPP would be responsible for paying competitive prices for zero-day vulnerabilities, getting the information to the appropriate vendor, so a patch can be released, and publishing all information on the vulnerability. The organization could be run by universities, the security industry or Community Emergency Response Teams (CERTS).