Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Good guys should compete with criminals in buying zero-day vulnerabilities, report says

Antone Gonsalves | Dec. 19, 2013
An effective way to significantly improve software security is to compete head-to-head with the black market for previously unknown vulnerabilities, a security research company says.

Whether anything is done, a global bug bounty program already exists, "it's just run by the black hats," Frei said.

In a report released earlier this month, NSS Labs found that subscribers to two separate vulnerability programs, one run by Hewlett-Packard the other owned by VeriSign, had access on any given day to at least 58 exploitable flaws in Microsoft, Apple, Oracle or Adobe products. Both organizations buy vulnerabilities from researchers and work with vendors in releasing patches.

Despite the number of flaws purchased by the services, many more secret vulnerabilities are available to cybercriminals and government agencies willing to pay more to launch cyberattacks or cyber espionage campaigns.

Brokers and exploit clearinghouses VUPEN Security, ReVuln, Endgame Systems, Exodus Intelligence and Netragard can collectively provide at least 100 exploits per year to subscribers, the report found.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.