Research company NSS Labs says bug bounties should be mandatory for vendors.
NSS Labs researchers Stefan Frei and Francisco Artes wrote in the International Vulnerability Purchase Program report that the cost of purchasing all of a vendor's vulnerabilities was miniscule compared to the vendor's revenue in the same time frame.
Additionally, the researchers discovered that the cost of purchasing those vulnerabilities is nominal when comparing it to the expected losses incurred as a result of crime.
“If all of the vulnerabilities for all products are purchased at USD $150,000 each, this still would amount to less than 0.01 percent of the yearly gross domestic product for either the US or the European Union,” Frei and Artes wrote. “The cost for major software vendors to purchase all of their vulnerabilities at USD $150,000 each is less than one percent of their revenue.”
Another benefit to the proposed program is that it will reduce the disclosure delay, Vikram Phatak, CEO of NSS Labs, told SCMagazine.com on Wednesday. He said it would reduce the return on investment for the attackers and will also create uncertainty in the market with regard to vulnerabilities that have already been exposed.
“There tends to be a lot of rediscovery of vulnerabilities,” Phatak said. “If we both discover a vulnerability, the path I take is the logical extension of a path someone else took.”
With an increasing reliance on technology only leading to an increased number of security flaws, NSS Labs recommends a structured vulnerability management program that includes more competitive bug bounty programs, better incentives for the creation of more secure software and greater communications and disclosure between researchers.
It is also recommended that software vendors invest in mechanisms for simple and automatic patching of their products.