Vulnerabilities are raging out there. Firewalls, operating systems, application servers, games, or digital rights management systems have flaws which threaten in the best case individual machines and in the worst case the integrity of key Internet points. So how about a free market solution to vulnerabilities reporting?
A new initiative by Com/TippingPoint called Zero Day initiative would pay vetted researchers to report vulnerabilities to the company in a responsible way, thereby avoiding these holes from getting into the public domain and being exploited by criminals and hackers before vendors can patch them.
Critics jump quickly with the accusation that this would create a second-hand market for vulnerability information (much like the attempted sale of a Microsoft Excel vulnerability on eBay.) It is not hard to see how once some sort of market has been created for critical vulnerability information, there may be a demand by hackers to obtain or outbid for a piece of information on vulnerable software.
On the other hand, this system is as good as it gets - without some sort of market to encourage security research, the vulnerabilities will eventually be discovered, possibly by the bad guys, and exploited without any chance of being detected and patched.
One of my questions is, what drives the price or the ‘bounty’ per vulnerability? Seriousness, but determined by who? If one discovers a major security hole in a major operating system, is he getting paid the same amount as one who discovers a hole in an obscure data transmission protocol that is hardly used anymore? A true free market would put on one side bidders and buyers and would let them sort out the best price for both parties. However, if TippingPoint just offers a fixed amount per vulnerability, then many security researchers may not focus on finding the major security holes that cause the biggest problems.
According to a new study by AOL and NCSA,
roughly one in four U.S. Internet users are targets of phishing attacks–phony e-mails seeking personal financial data–according to a study conducted by Time Warner’s Internet unit AOL and the National Cyber Security Alliance.
Only 1 in 4? Considering that 100% (or close to it, anyway) of Net users receive spam, it is surprising that only 25% have been identified as receivers of phishing attacks. After all, it is often the same guys who fill our inbox with medication offers or mortgage deal-of-a-lifetime who graduate into sending phish email attacks.
The study showed that 81 percent of home PCs lack either updated computer software, spyware protection or a secure firewall.
And this explains why home networked PCs are the #1 source of spam, phish, or other Internet garbage.
[Via CNET News.com, United States -]