Some software vendors have set up bug bounty programs and pay hackers for privately reporting vulnerabilities found in in their products. However, the rewards paid by vendors cannot compete with the amount of money that governments can and are willing to pay for the same flaws.
"I would rather vendors not try to compete in the bidding, but rather focus on eliminating the market entirely by creating secure products from the very beginning," said Jake Kouns, chief information security officer at vulnerability intelligence firm Risk Based Security, via email.
Software vendors should instead "invest significant money, energy, and time" into training developers on secure coding practices and reviewing code before releasing it, he added.
Sign up for CIO Asia eNewsletters.