Marketplace: Setting Up a Global System to Buy Security Vulnerabilities

Marketplace: Setting Up a Global System to Buy Security Vulnerabilities
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Can monetizing vulnerability discoveries help lower cybercrime? This at least the idea of Stefan Frei of NSS Labs and co-author Francisco Artes. They propose the creation of an international organization for buying security vulnerabilities.

“Frei previously had estimated that at any given time criminals have access to about 100 zero-day vulnerabilities known only to them. Meanwhile, a lucrative marketplace has developed for security vulnerabilities identified by security researchers, some of whom are willing to sell their discoveries to the criminal underground. Frei and Artes say the scale of the problem is such that it cannot be effectively handled by individual vulnerability bounty systems such as those run by Microsoft and Google, and that national governments should instead band together to create an International Vulnerability Purchase Program (IVPP) that could purchase vulnerabilities before criminals obtain access to them. According to Frei and Arte, an IVPP would do this by paying market or even above-market rates for vulnerabilities. Although these rates could be as high as $150,000 per flaw, Frei says, “the cost of purchasing all vulnerabilities in a given year, and at competitive prices, is remarkably low compared to the losses that are estimated to occur as a result of cybercrime.”

Source: TechWorld via ACM Tech News
Photo creditsStuxnet by marsmet481