Good guys should compete with criminals in buying zero-day vulnerabilities, report says

An effective way to significantly improve software security is to compete head-to-head with the black market for previously unknown vulnerabilities, a security research company says.

[Study finds zero-day vulnerabilities abound in popular software]

In an analysis released Tuesday, NSS Labs recommended the formation of an international vulnerability purchase program (IVPP) that would pay competitive prices for so-called zero-day vulnerabilities sold to brokers, subscription services and hackers.

From 60 percent to 80 percent of the vulnerabilities today are reported to software vendors for free by security experts more interested in protecting users than profiting off the flaws, NSS says. The remaining vulnerabilities are purchased by vendors or end up on the black market, where cybercriminals can easily buy them.

By having a centralized vulnerability purchasing program, “we would get lots of researchers to investigate vulnerabilities,” Stefan Frei, NSS Labs research director and co-author of the report, said. In addition, a clear message would be sent to software vendors that when they ship a product, “it would be thoroughly scrutinized from day one.”

A “conservative estimate” of the reduction in losses to cybercrime through a competitive bounty program is 10 percent, according to NSS Labs, which is in the business of testing security products for corporate subscribers. The reduction would be worth far more than the cost, given that cybercrime and cyber espionage result in hundreds of billions of dollars in losses each year globally.

If all vulnerabilities for products were bought for $150,000 each, the total would amount to less than 0.01 percent of the yearly domestic gross product for either the U.S. or the European Union, according to NSS Labs. If major software vendors paid an equal amount for each vulnerability discovered in their products, the cost would amount to less 1 percent of revenue.

Therefore, an IVPP is “an economically sound proposal to reduce losses that occur as a result of cybercrime,” the report said.

“By offering competitive prices, we can really compete and drive many cybercriminals out,” Frei said.

The need for an industry and government effort to reduce software vulnerabilities is clear. Among nine major vendors, only Microsoft published fewer vulnerabilities than its average over the last 10 or five years, according to NSS. The other vendors included Adobe, Apple, Cisco, Google, Hewlett-Packard, IBM, Mozilla and Oracle.

[Microsoft offers quick fix for Zero-Day vulnerability]

An IVPP would be responsible for paying competitive prices for zero-day vulnerabilities, getting the information to the appropriate vendor, so a patch can be released, and publishing all information on the vulnerability. The organization could be run by universities, the security industry or Community Emergency Response Teams (CERTS).

Governments could finance the IVPP through a tax on software, products or services, the report said. The software industry could also chose to start the program on its own to keep it within the private sector.

Whether anything is done, a global bug bounty program already exists, “it’s just run by the black hats,” Frei said.

In a report released earlier this month, NSS Labs found that subscribers to two separate vulnerability programs, one run by Hewlett-Packard the other owned by VeriSign, had access on any given day to at least 58 exploitable flaws in Microsoft, Appe, Oracle or Adobe products. Both organizations buy vulnerabilities from researchers and work with vendors in releasing patches.

Despite the number of flaws purchased by the services, many more secret vulnerabilities are available to cybercriminals and government agencies willing to pay more to launch cyberattacks or cyber espionage campaigns.

Brokers and exploit clearinghouses VUPEN Security, ReVuln, Endgame Systems, Exodus Intelligence and Netragard can collectively provide at least 100 exploits per year to subscribers, the report found.