What would it mean and cost to outbid cyber criminals?


Area41 Conference, Zurich, June 2nd, 2014


The continued discovery of new software vulnerabilities and their abuse by criminals and governments is the root cause of a considerable portion of the losses experienced by society. Every exploitable vulnerability used offensively induces significant direct and indirect losses for users and society as a whole.

Experience has shown that traditional approaches based on “more of the same” do not deliver better overall security. It is time to examine the economics of depriving cyber-criminals’ access to new vulnerabilities through the systematic purchase of all relevant vulnerabilities discovered at or above black market prices.

Purchasing all vulnerabilities of a software vendor is typically less than 1% of that vendor’s revenue in a year. Purchasing all vulnerabilities for all vendors costs much less than the expected reduction in losses, or less than 0.1% of the GDP of the US or the EU. It is economically viable to make large-scale purchases of vulnerabilities to reduce losses, establish proper incentives, and provide transparency.