If you're looking to reduce the pool of possible zero-day vulnerabilities that could potentially be used for criminal or state-sponsored breaches of computer and network security, throwing people and money at the problem isn't necessarily going to solve it. At least, that's the conclusion from a team of researchers at MIT, Harvard, and the security firm HackerOne (the organization that runs the Internet Bug Bounty program). At next week's RSA Conference, HackerOne Chief Policy Officer Katie Moussouris and Dr Michael Siegel of MIT's Sloan School will present a study on the economics of the marketplace for "zero-day" vulnerabilities in software and networks, showcasing a model for how that market behaves. Spoiler: their model isn't simply driven by supply and demand.
In a blog post today entitled "The Wolves of Vuln Street," Moussouris gave a summary of the team's findings of what it means for organizations and government agencies seeking to "dry up the offensive stockpile" of vulnerabilities available to would-be attackers. The crux is that bug bounty programs are valuable in uncovering vulnerabilities (especially in less mature software), but some vulnerabilities simply will never be for sale at a price that defenders can afford. The long-term solution, Moussouris suggested, is to pay for automated tools and techniques to help developers find the bugs themselves.
At last year's Black Hat conference in Las Vegas, Dan Geer—a computer security analyst and chief information security officer of the CIA-backed venture capital firm In-Q-Tel—suggested that the US government should simply corner the market on vulnerabilities, offering "six-figure prices" to compete with the black market for zero-days. Geer also said this approach would only work if vulnerabilities were scarce; if they are plentiful, there would be no amount of money that could possibly buy up all the potential attack vectors.