Over the past couple of decades, our society has become ever more dependent on software and the Internet. This evolution, unfortunately, has also increased the number and value of targets. The Internet knows no borders; neither does cyber crime, including cyber espionage. As long as the industry continues to produce insecure software, the consumer will be forced to bear the financial burden of securing critical data and systems. Not surprisingly, cyber crime has thrived in this environment, and losses incurred due to cyber crime continue to increase almost unabated; at present, they are estimated to be in the billions of dollars per year. Without a doubt, a considerable portion of these losses is linked directly to the never-ending stream of new vulnerabilities discovered within software, regardless of a vendor’s experience, size, and presumed capabilities.
This places a researcher that finds new vulnerabilities in an exclusive and rather powerful position with respect to the security of society. Currently, the researcher has three primary options regarding disclosure of vulnerabilities found:
It is worrying that the security of a critical component of our society and economy is so heavily reliant on
Experience has shown that traditional approaches based upon "more of the same" do not deliver better overall security. It is time to think outside of the box. Consider the following:
What would be the effect of offering
I ran the numbers for this exercise, and the results are as intriguing as they are surprising, published in the paper International Vulnerability Purchase Program (IVPP).
If you are ready to think out of the box, read the paper, or calculate the cost based on your price model. Or, you can continue to do more of the same – but don’t expect much change.
What is the cost of doing nothing?