An International Bug Bounty Program

It is time to examine the economics of depriving cyber criminals’ access to new vulnerabilities through the systematic purchase of all vulnerabilities discovered at or above black market prices.


The Grand Security Challenge

Cost of cybercrime

Over the past couple of decades, our society has become ever more dependent on software and the Internet. This evolution, unfortunately, has also increased the number and value of targets. The Internet knows no borders; neither does cyber crime, including cyber espionage. As long as the industry continues to produce insecure software, the consumer will be forced to bear the financial burden of securing critical data and systems. Not surprisingly, cyber crime has thrived in this environment, and losses incurred due to cyber crime continue to increase almost unabated; at present, they are estimated to be in the billions of dollars per year. Without a doubt, a considerable portion of these losses is linked directly to the never-ending stream of new vulnerabilities discovered within software, regardless of a vendor’s experience, size, and presumed capabilities.



Vulnerability handling

This places a researcher that finds new vulnerabilities in an exclusive and rather powerful position with respect to the security of society. Currently, the researcher has three primary options regarding disclosure of vulnerabilities found:

It is worrying that the security of a critical component of our society and economy is so heavily reliant on the altruism and ethics of a few researchers reporting their findings to vendors for free, while at the same time, the market for this information (and therefore its value) is growing rapidly. This is no sustainable recipe to secure the future.


Thinking Out Of The Box

Experience has shown that traditional approaches based upon "more of the same" do not deliver better overall security. It is time to think outside of the box. Consider the following:

What would be the effect of offering USD $150,000 per vulnerability, for all vulnerabilities, regardless of vendor affected, and then reporting the vulnerability to the vendor for remediation?

I ran the numbers for this exercise, and the results are as intriguing as they are surprising, published in the paper International Vulnerability Purchase Program (IVPP).

If you are ready to think out of the box, read the paper, or calculate the cost based on your price model. Or, you can continue to do more of the same – but don’t expect much change.

What is the cost of doing nothing?



Date Time: 2020-05-26 20:19:56
Recent Papers
Recent Press Coverage
© 2000-2020 Stefan Frei