Dan Geer, chief information security officer at the CIA’s venture capital arm In-Q-Tel, argues that the US government should buy all security exploits, then disclose them:
Zero-day vulnerabilities are security holes in software that are yet unknown to software makers or to antivirus firms. They’re unpatched and unprotected, leaving them open to exploit by spy agencies, criminal hackers, and others. Once the government purchases zero-days, he said, it should burn them by disclosing them. Showing all of these zero-days to the software makers so that they can be fixed would produce a dual benefit: Not only would it improve security, but it would burn our enemies’ stockpiles of exploits and vulnerabilities, making the U.S. far less susceptible to cyberattacks.
He said that paying big for zero days would improve security because it would allow hunting for vulnerabilities to be profitable without being destructive. “Once vulnerability finding became a job and not a hobby, those finding vulnerabilities stopped sharing,” he said. “When bug hunters find bugs just for fun and fame, they share the information immediately because they don’t want someone else to find it and take credit for it.” But those doing it for profit don’t share and don’t care. He proposes that the U.S. government openly corner the world market on vulnerabilities. Under such a program, the government would say, “show us a competing bid, and we’ll give you 10 times.”
(Hat tip to T. Greer.)