Governments are
spending up to half a million US dollars to stock up cyber arsenals with zero
day vulnerabilities. Zero day vulnerabilities are not found by specialist firms,
but by individual or small groups of security researchers.
Security
researchers currently report vulnerabilities to product firms under responsible
disclosure norms who fix such flaws before they are published. Product
companies do not monetarily incentivize security researchers to report vulnerabilities;
instead they offer a mention or appreciation on their web site. Bug bounty
programs to motivate third party researchers to find and report bugs have payouts
ranging between five to twenty thousand US dollars.
Hawking zero days
to governments requires that these flaws are kept alive and not reported to
product companies. Such flaws remain discoverable to others, including cyber
criminals who use them to target enterprises for financial and ideological
gains.
Exorbitant payouts
and an opportunity to sell a single zero days to multiple governments will increase
the number of security researchers who specialize in this trade. Product
companies are forced to be vigilant, and safeguard against employees who
deliberately introduce software backdoors, in collusion with grey market
operators.
No comments:
Post a Comment