What if makers of software were held accountable when their programs are hacked? It might seem ridiculous—especially if you’re one of those developers, but Brian Krebs believes that the best way to make sure software companies do the most possible when testing against hackers is to hold them directly accountable for vulnerabilities.
A Market to Buy Zero Day Flaws
Citing vulnerability researcher Stefan Frei’s research, Krebs highlights the market for “zero day flaws”, or flaws in the software that the makers of the software aren’t even aware of. The way of stopping hackers from buying the flaws is to purchase them at a higher price, which is what many security firms do. What Frei proposes is an international buying operation where the makers of software were required to pay for any vulnerability found. Idea being, simply, that there would be more thorough internal efforts to find “zero day flaws” than not. The independent review could inspire a stronger internal review. This played out positively in other innovations:
“When you look at new innovations like cars, airplanes and electricity, we see that security and reliability was enhanced tremendously with each as soon as there was independent testing,” said Frei, an experienced helicopter pilot. “I was recently reading a book about the history of aviation, and [it noted that in] the first iteration of the NTSB [National Transportation Safety Board] it was explicitly stated that when they investigate an accident, if they could not find a mechanical failure, they blamed the pilot. This is what we do now with software: We blame the user. We say, you should have installed antivirus, or done this and that.”
Yet another possibility brought up is government intervention, and the author goes on within that subject among a few others in this informative and question-raising post.
Read the full post here: http://krebsonsecurity.com/2013/12/the-case-for-a-compulsory-bug-bounty/