Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Governments urged to set up global bounty system to buy security vulnerabilities

John E Dunn | Jan. 9, 2014
The criminal market for software vulnerabilities is now so sophisticated and dangerous that governments should consider setting up a global programme to purchase flaws before they fall into the wrong hands, a researcher has argued.

In essence, Frei is arguing for something that would once have seemed almost unthinkable and may still be anathema in some parts of the industry - government-directed intervention. Driven by innovation, the software free market has failed to deliver on security and nor could it because it does not have to pay for its own failures. These are borne by the customers and society as a whole.

Ironically, it's an interventionist idea that has occurred to governments too, including the ideological home of free-market solutions to just about any human problem, the US.

The mechanics of such a program would be complex but Frei has thought through some of the practical issues as well. Regional submission centres would be set up (probably using CERTs), before flaws were handed on to a central analysis department. The IVPP process would produce transparent public disclosure and documentation.

Frei doesn't, of course, explain how this would all be paid for, nor what account might be taken of the views of firms with a current commercial interest in selling exploits. And if the volume of exploits reaching the public domain increased, what effect would this have on the vendors themselves and the organisations and paying businesses with the job of patching them? Many struggle to apply the subset of flaws they get to hear about without having this workload multiplied severalfold.

As interesting as the idea sounds, it is more likely that some of the job proposed will be achieved simply by waiting for the vulnerable Windows PC ecosystem to wither. Mobile and web platforms will be subject to a growing volume of flaws in time too but probably not on the scale witnessed in the dark ages when Windows users were left to fend for themselves.

This at least is one hope. But for the forseeable future, the costs of poor coding security will continue to be borne by organisations and citizens and not software firms.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.