- Stefan Frei, Francisco Artes
- Whitepaper: International Vulnerability Purchase Program (IVPP) (pdf)
- See also: The Case for a Bug Bounty Program of Last Resort
Over the past few decades, the global economy increasingly has come to rely on information systems, and yet society remains in the early phases of adapting to the related opportunities and threats. Criminals, however, are fast adopters (as with any new technology), and worldwide financial losses occurring as a result of cyber crime are estimated in the billions of dollars per year. The continued discovery of new vulnerabilities in software and their subsequent abuse by cyber criminals is the root cause of a considerable portion of the losses experienced by society. Every exploitable security vulnerability in the possession of cyber criminals (particularly those vulnerabilities that affect popular products) subsequently induces significant direct and indirect losses for users and for society as a whole.
There is no indication that the status quo will change any time soon, not least because software manufacturers have yet to produce secure software and, since they do not bear the costs and consequences of the vulnerabilities within their products, there is little to indicate that they ever will. Experience has shown that traditional approaches based on “more of the same” do not deliver better overall security. The question to ask is: “How much are those that bear the costs willing to pay to reduce their losses incurred as a result of cyber crime?”
It is time to examine the economics of depriving cyber criminals’ access to new vulnerabilities through the systematic purchase of all vulnerabilities discovered at or above black market prices. By comparing the total losses occurring as a result of cyber crime against the costs involved in purchasing all vulnerabilities a compelling case is made for a centralized vulnerability purchase program.
NSS Labs has discovered that the cost of purchasing all of the vulnerabilities of a given software vendor is minimal when compared with that vendor’s revenue for the same period of time. Further, the cost of purchasing all of the vulnerabilities for all of the vendors is minimal when weighed against the expected overall reduction in losses incurred as a result of cyber crime. NSS’ data reveals that it is economically viable for governments to make large- scale purchases of vulnerabilities to reduce losses, establish proper incentives, provide transparency, and transfer costs to the appropriate parties