Whether anything is done, a global bug bounty program already exists, "it's just run by the black hats," Frei said.
In a report released earlier this month, NSS Labs found that subscribers to two separate vulnerability programs, one run by Hewlett-Packard the other owned by VeriSign, had access on any given day to at least 58 exploitable flaws in Microsoft, Apple, Oracle or Adobe products. Both organizations buy vulnerabilities from researchers and work with vendors in releasing patches.
Despite the number of flaws purchased by the services, many more secret vulnerabilities are available to cybercriminals and government agencies willing to pay more to launch cyberattacks or cyber espionage campaigns.
Brokers and exploit clearinghouses VUPEN Security, ReVuln, Endgame Systems, Exodus Intelligence and Netragard can collectively provide at least 100 exploits per year to subscribers, the report found.
Sign up for CIO Asia eNewsletters.