Could a $150,000 enforced bug bounty put zero-day exploit brokers out of business?

How great would it be if we no longer had to worry about zero-day exploits? NSS Labs, where “security a science,” estimates that on any given day, there are “at least 58 vulnerabilities targeting Microsoft, Apple, Oracle, or Adobe.” Critical zero-day vulnerabilities -- undocumented and unpatched software flaws -- are sold by exploit vendors to governments and are also available in the cybercrime underground. A half dozen exploit brokers have the “capacity to offer more than 100 exploits per year” because vulnerability researchers often sell to the highest bidder instead of reporting the zero-day flaw to vendors for a lower bug bounty price. That could change, however, if all vendors offered a higher standard rate for their bug bounty programs.

Not a day goes by when your life is not affected by apps; even if you steer clear of the Internet or your PC, software runs most everything from the power grid to cash registers. Not only is our critical infrastructure horribly vulnerable, the apps you use daily are full of insecure code. The “never-ending stream of new vulnerabilities discovered within software, regardless of a vendor’s experience, size, and presumed capabilities” has allowed cybercrime to flourish. The fix, according to NSS Labs, is for all software companies to adopt bug bounty programs that pay $150,000 per exploit found.

Pay security researchers 150,000 per exploit reported as enforced bug bounty by all vendors

“It is time to examine the economics of depriving cyber criminals' access to new vulnerabilities through the systematic purchase of all vulnerabilities discovered at or above black market prices,” proposed Stefan Frei, research director of NSS Labs. A report titled “International Vulnerability Purchase Program,” states, “If all of the vulnerabilities for all products are purchased at USD $150,000 each, this still would amount to less than 0.01 percent of the yearly gross domestic product (GDP) for either the US or the European Union (EU). The cost for major software vendors to purchase all of their vulnerabilities at USD $150,000 each is less than one percent of their revenue.”

“Frei’s analysis conservatively estimated that private companies which purchase software vulnerabilities for use by nation states and other practitioners of cyber espionage provide access to at least 85 zero-day exploits on any given day of the year,” wrote Brian Krebs of Krebs on Security. “That estimate doesn’t even consider the number of zero-day bugs that may be sold or traded each day in the cybercrime underground. …The market for finding, stockpiling and hoarding (keeping secret) software flaws is expanding rapidly."

“Everyone is going to use Adobe Flash or Java or Windows,” wrote Adam Kujawa, lead of the Malware Intelligence Team at Malwarebytes. “This means that said vulnerable applications are not only targeted greatly because of their widespread use but also completely unopposed in the market, which (in theory) means that they don’t have to update or patch because users will still use their products because they don’t have any competition.”

While “paying $150k for bug bounties would help the industry because more professional vulnerability researchers would opt to go the white hat route,” eliminating software flaws will not stop social engineering and web attacks which play a “massive part of the process.” Kujawa also suggested a “federally approved industry seal for software that has been tested.” Then users would know whether or not the app is secure.

You could also approach the benefits from a liability standpoint. Many banks are held liable for the loss of money from a robbery, an amusement park is liable for a ride that malfunctions and injures a guest. Why don’t we hold software developers to the same standard and when their product gets exploited, you can hold them liable for the data loss.

"Software security is a 'negative externality': like environmental pollution, vulnerabilities in software impose costs on users and on society as a whole, while software vendors internalize profits and externalise costs," Krebs explained. "Thus, absent any demand from their shareholders or customers, profit-driven businesses tend not to invest in eliminating negative externalities."

“No matter how large a vendors’ security team, it cannot compete with the combined experiences of a global group of individual specialists or organizations with diverse backgrounds, education, culture, and skills,” NSS Labs noted. Critical zero-day vulnerabilities will continue to be discovered and exploited by cyber crooks. An enforced high price as a bug bounty could be the solution. As a plus, it could put some serious hurt to exploit brokers' wallets.

I like the proposal of $150,000 per exploit, regardless of if the vulnerability is big or small, as it would keep bug hunters searching for software flaws and keep us safer as a whole. It could also help the black hat sons of Grinches decide to do the “right” white hat thing; then they might even make the nice instead of naughty list. That’s all for now. Have a very Merry Christmas and a happy New Year!

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon