Over the past couple of decades, our society has become ever more dependent on software and the Internet. This evolution, unfortunately, has also increased the number and value of targets. The Internet knows no borders; neither does cyber crime, including cyber espionage. As long as the industry continues to produce insecure code, the consumer will be forced to bear the financial burden of securing critical data and systems. Not surprisingly, cyber crime has thrived in this environment, and losses incurred due to cyber crime continue to increase almost unabated; at present, they are estimated to be in the billions of dollars per year. Without a doubt, a considerable portion of these losses is linked directly to the never-ending stream of new vulnerabilities discovered within software, regardless of a vendor’s experience, size, and presumed capabilities.
This places a researcher that finds new vulnerabilities in an exclusive and rather powerful position with respect to the security of society. Currently, the researcher has three primary options regarding disclosure of vulnerabilities found:
Full disclosure, which publicly “outs” the vendor, but which may be necessary in the case of limited cooperation, or where the vendor no longer supports the product or has gone out of business.
Report the vulnerability to the software vendor for free or for a small reward in order to get it fixed. This helps both parties.
Sell the vulnerability for a generous reward to cyber criminals or government agencies, thus creating a “known unknown.”
It is worrying that the security of a critical component of our society and economy is so heavily reliant on the altruism and ethics of a few researchers reporting their findings to vendors for free, while at the same time, the market for this information (and therefore its value) is growing rapidly. This reminds me of a quote from Winston Churchill’s famous 1940 wartime speech, in which he refers to the ongoing efforts of the Royal Air Force pilots fighting the Battle of Britain: “Never was so much owed by so many to so few.”
Experience has shown that traditional approaches based upon “more of the same” do not deliver better overall security. It is time to think outside of the box. Consider the following:
What would be the effect of offering USD $150,000 per vulnerability, for all vulnerabilities, regardless of vendor affected, and then reporting the vulnerability to the vendor for remediation?
I ran the numbers for this exercise, and the results are as intriguing as they are surprising. If you are ready to think out of the box, read our latest analyst brief, “International Vulnerability Purchase Program (IVPP).” Or, you can continue to do more of the same – but don’t expect much change.
What is the cost of doing nothing?
Follow me on Twitter @stefan_frei. I expect some interesting discussions on this topic.