An effective way to significantly improve software security is to compete head-to-head with the black market for previously unknown vulnerabilities, a security research company says.
In an analysis released Tuesday, NSS Labs recommended the formation of an international vulnerability purchase program (IVPP) that would pay competitive prices for so-called zero-day vulnerabilities sold to brokers, subscription services and hackers.
From 60 percent to 80 percent of the vulnerabilities today are reported to software vendors for free by security experts more interested in protecting users than profiting off the flaws, NSS says. The remaining vulnerabilities are purchased by vendors or end up on the black market, where cybercriminals can easily buy them.
By having a centralized vulnerability purchasing program, "we would get lots of researchers to investigate vulnerabilities," Stefan Frei, NSS Labs research director and co-author of the report, said. In addition, a clear message would be sent to software vendors that when they ship a product, "it would be thoroughly scrutinized from day one."