Creating national programs to buy vulnerability information from security researchers could significantly reduce the risk of software flaws, according to two European security researchers.
In a paper published on Thursday — "Bug Bounty Program of Last Resort" — Stefan Frei and Oliver Rochford argue that the funds necessary to pay a bounty of $50K, $150K, and $250K for medium-, high-, and critical-severity vulnerabilities from the top 500 vendors would amount to $1.7 billion, less than 0.01% of the US gross domestic product. To create a net positive impact on cybercriminals, the effort would only have to create minimal savings of less than 0.5% of the $1 trillion annual impact of cybercrime, the researchers state.
While the proposal is ambitious, only modest results would reduce the pool of available zero-days and create a more secure software ecosystem, says Frei, security officer at SDX Security and a lecturer at ETH Zurich, a public university in Switzerland.
"Over the past two decades we had to learn that vulnerabilities don't go away, in spite of all investments," he says. "We also have to realize that doing more of the same will not solve the problem."
The proposed policy — funded by the Chair of Entrepreneurial Risks at ETH Zurich's Department of Management, Technology, and Economics — is not an entirely new suggestion. An economic analysis of bug-bounty programs published at the Workshop on the Economics of Information Security (WEIS) in 2019 found that combining rewards and better law enforcement tends to have the surest impact f ..
Support the originator by clicking the read the rest link below.
