The criminal market for software vulnerabilities is now so sophisticated and dangerous that governments should consider setting up a global programme to purchase flaws before they fall into the wrong hands, a researcher has argued.
Last month Dr Stefan Frei of NSS Labs calculated that criminals probably had access to around 100 zero-day software flaws known only to them at any moment in time, which represented a huge security risk to organisations, governments and consumers alike.
In a follow-up report before Christmas Frei and co-author Francisco Artes suggested that the level of insecurity was now far beyond what could be mopped up by commercial software bounty programmes such as those run by Microsoft, Google, Yahoo or specialist firms such as HP TippingPoint.
Flaws could take months to discover and possibly years to patch across the world's population of PCs, leaving criminals free to exploit them more or less at will. With the uncosted economic and social toll rising and the industry no nearer producing secure software or accepting liability for its effects, the time had come for governments to resort to more drastic measures, Frei said.
Meanwhile a lucrative market has developed for flaws with security disclosures that depended on the efforts of a small population of security researchers, a worrying minority of whom were willing to sell flaws to the highest bidder, often criminals.
One solution would be a fully-fledged International Vulnerability Purchase Program (IVPP), which would seek to purchase serious flaws before criminals got hold of them.
The main advantage of this approach is that it could include software products not currently covered by bounty programs while also paying market rates high enough to encourage more security research as a whole.
Even paying above market rates - as high as $150,000 (£100,000) per flaw - "the cost of purchasing all vulnerabilities in a given year, and at competitive prices, is remarkably low compared to the losses that are estimated to occur as a result of cybercrime, or the economic output of major countries, or the revenue of the software industry for the same time period," wrote Frei.
If such a program had purchased every known flaw during 2012, he calculated that the bounty costs would still only represent only 0.3 percent of the revenue of the world software industry, about 0.01 percent of US GDP.
Put another way, the costs of paying for all those flaws would be dwarfed by the economic effects of the same flaws once they are wielded by criminals. The price offered for a specific flaw would depend to some extent on the financial damage it might cause, a number that would always in theory be higher than the profit criminals could make from the same vulnerability.
Sign up for Computerworld eNewsletters.