Creating national programs to buy vulnerability information from security researchers could significantly reduce the risk of software flaws, according to two European security researchers.
In a paper published on Thursday — “Bug Bounty Program of Last Resort” — Stefan Frei and Oliver Rochford argue that the funds necessary to pay a bounty of $50K, $150K, and $250K for medium-, high-, and critical-severity vulnerabilities from the top 500 vendors would amount to $1.7 billion, less than 0.01% of the US gross domestic product. To create a net positive impact on cybercriminals, the effort would only have to create minimal savings of less than 0.5% of the $1 trillion annual impact of cybercrime, the researchers state.
While the proposal is ambitious, only modest results would reduce the pool of available zero-days…