A new report from security-information firm NSS Labs is campaigning for a global vulnerability purchasing (or bug bounty) program.
It claims that the current tepid approach from software firms has failed to staunch the flow of reports of new software flaws.
In 2012, the number of vulnerabilities reported in software programs increased for the first time in five years and this year will likely equal or surpass that mark, according to data from the National Vulnerability Database. While the number of software flaws considered critical security threats has declined, attackers continue to have little trouble finding a software flaw to exploit.
Out of 10 major software vendors – including Adobe, Apple, IBM and Oracle – only Microsoft has reduced the number of flaws reported in its products to below its five-year and 10-year average, according to NSS Labs’ data.
“On the very large scale, doing more of the same has not solved our problems,” Frei said. “As it is right now, the system is fragile.”
The report, which uses previous NSS Labs vulnerability analyses, estimates that a bounty program to buy serious vulnerabilities in popular software could make a dramatic difference in the cyber-criminal economy. While costing a fraction of the total cost of cyber-crime, the program could remove potential vectors of attack from the market, Frei said.
“Today, most of the vulnerabilities are reported to the vendor for free,” Frei said. “We rely 100 percent on the altruism of the researcher, while at the same time there is an expanding market from government agencies and criminals to offer extremely high rewards for the same information.”
Bug bounty programs have gained increasing popularity. In 2002, iDefense created the Vulnerability Contributor Program, paying security researchers for vulnerabilities in other companies’ products.
Since then, a number of vendors – such as Mozilla, Facebook and Google – have started rewarding researchers for bug reports. After refusing to pay for vulnerability research, Microsoft agreed to award prizes for any exploitation techniques that can bypass the defences of the current version of Windows.
A program to buy each reported vulnerability for $150,000 (£91,804) – a significant bounty by today’s standards – would cost $444 million (£271m) if the initiative purchased every flaw discovered in the top-50 products in 2012. While that sum may seem excessive, it represents less the 5 percent of the total cost of cyber-crime, estimated to be at least $10 billion (£6.1bn), NSS Labs stated in the report.
If implemented as an international program, with local groups that would receive submissions and a number of assessment centres that would randomly be assigned the task of checking the information, the program could work to remove much of the supply of vulnerabilities, Frei said.
Sorry, there’s no cash reward, but still … try our security quiz!
Originally published on eWeek.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…