Las Vegas -- The U.S. government should pay 10 times the going rate for zero-day software flaws in order to corner the market and then make those vulnerabilities public to render them less potent for attackers, Black hat 2014 attendees were told yesterday.That would reduce the overall threats against Internet traffic in general and cost less than the damage that actual exploits cause, says Dan Geer, who is the chief information security officer at In-Q-Tel, the venture capital arm of the Central Intelligence Agency.+ Also on Network World: 10 disturbing attacks at Black Hat USA 2014 | Black Hat 2014: How to crack just about everything +This was one of several proposals he floated during his keynote address at the best attended hacker conference. He said several times that the ideas were his own and did not express anyone else\u2019s opinions.His idea for the government to buy up all the zero-day vulnerabilities could have a significant impact on overall security assuming that most software isn\u2019t riddled with security holes. If the occurrence of flaws is dense, however, the scheme wouldn\u2019t work because software vendors would wind up spending all their time patching their products.But if it turns out software vulnerabilities are relatively sparse, the flaws could be readily patched. \u201cI believe they are sparse enough so if we corner the market, we can make a difference,\u201d Geer says.At one time finding vulnerabilities was a pastime with the reward being bragging rights. Now finding flaws is a full-time job that guarantees that finders don\u2019t share their discoveries, hence a rise in the rate of zero-day attacks. The vulnerabilities can be sold for huge sums, drawing in researchers who find them and sell them for profit.Offering 10 times the going rate would eventually attract most people with vulnerabilities to sell, regardless of their personal feelings about selling to the U.S., he says.Another of Geer\u2019s proposals would have Windows XP open-sourced as a way to protect customers from being abandoned by Microsoft.While Microsoft is not the only company that would be affected, he cited Microsoft as being among those companies that end support for their software despite the fact that they are still widely used. Though he didn\u2019t mention it by name, one example is Windows XP, which is still the operating system for about a quarter of PCs used on the Internet.He says that abandoning updates for products used by vast numbers of customers should mean creators of the products should turn that function over to the public. It\u2019s unfair for vendors to officially end support for certain platforms for everyone but at the same time continue support for those customers who can afford to pay significantly extra for it, he says.He acknowledged that the solution isn\u2019t perfect given the uncertainty of how well the open source community would support the software. \u201cIt\u2019s the worst option,\u201d Geer said, \u201cexcept for all the others.\u201dAnother suggestion that aimed again at software vendors would make vendors liable for damage their products cause to customers who use them normally. That means legislators and courts would have to sort out what normal means, but it would end the vendors\u2019 getting a free pass for bad software, he says.Vendors would be allowed to duck that liability if they made it possible for customers to turn off whatever pieces of the software they choose to as part of the licensing agreement. That wouldn\u2019t allow them to modify the code, just cut out parts of it they deemed unnecessary or that they just didn\u2019t trust, Geer says.His proposal would let consumers protect themselves without violating software vendors\u2019 copyrights, he says, but \u201csoftware vendors will yell bloody murder.\u201dGeer says embedded software in common Internet devices such as home routers and sensors should either include remote management interfaces or have a limited lifetime. That way holes discovered in their software could be patched remotely via the management interface. If there is no management interface, the limited lifetime would ensure that the flaws would eventually be removed when the devices hit their end of life.Geer addressed the issue of Net Neutrality by offering ISPs the right to charge more for faster services but only in return for accepting responsibility for the content they transport on their networks. ISPs that didn\u2019t take up the offer could still operate as common carriers providing a single level of service with a common price but without having to accept responsibility for the content of the traffic.