An International Bug Bounty Program

It is time to examine the economics of depriving cyber criminals’ access to new vulnerabilities through the systematic purchase of all vulnerabilities discovered at or above black market prices.

The Grand Security Challenge

Cost of cybercrime

Over the past couple of decades, our society has become ever more dependent on software and the Internet. This evolution, unfortunately, has also increased the number and value of targets. The Internet knows no borders; neither does cyber crime, including cyber espionage. As long as the industry continues to produce insecure software, the consumer will be forced to bear the financial burden of securing critical data and systems. Not surprisingly, cyber crime has thrived in this environment, and losses incurred due to cyber crime continue to increase almost unabated; at present, they are estimated to be in the billions of dollars per year. Without a doubt, a considerable portion of these losses is linked directly to the never-ending stream of new vulnerabilities discovered within software, regardless of a vendor’s experience, size, and presumed capabilities.

THE PROBLEM
insecure software
The software industry is yet unable to produce secure software

WHAT IF..
USD 150,000.-
What if we offered USD 150,000 per vulnerability to outbid cyber criminals?

A DIFFERENT APPROACH
follow the money
The economics of buying vulnerabilities at large scale. Online cost calculator.

Vulnerability handling

This places a researcher that finds new vulnerabilities in an exclusive and rather powerful position with respect to the security of society. Currently, the researcher has three primary options regarding disclosure of vulnerabilities found:

Full disclosure, which publicly “outs” the vendor, but which may be necessary in the case of limited cooperation, or where the vendor no longer supports the product or has gone out of business.
Report the vulnerability to the software vendor for free or for a small reward in order to get it fixed. This helps both parties.
Sell the vulnerability for a generous reward to the highest bidder, typically cyber criminals or government agencies, thus creating a "known unknown."

It is worrying that the security of a critical component of our society and economy is so heavily reliant on the altruism and ethics of a few researchers reporting their findings to vendors for free, while at the same time, the market for this information (and therefore its value) is growing rapidly. This is no sustainable recipe to secure the future.

Thinking Out Of The Box

Experience has shown that traditional approaches based upon "more of the same" do not deliver better overall security. It is time to think outside of the box. Consider the following:

What would be the effect of offering USD $150,000 per vulnerability, for all vulnerabilities, regardless of vendor affected, and then reporting the vulnerability to the vendor for remediation?

I ran the numbers for this exercise, and the results are as intriguing as they are surprising, published in the paper International Vulnerability Purchase Program (IVPP).

If you are ready to think out of the box, read the paper, or calculate the cost based on your price model. Or, you can continue to do more of the same – but don’t expect much change.

What is the cost of doing nothing?