Home page logo
/

dailydave logo Dailydave mailing list archives

Re: Faster, smashter. (fwd)
From: Robert Lemos <lists () robertlemos com>
Date: Wed, 10 Dec 2008 09:29:57 -0500

On Dec 10, 2008, at 1:27 AM, BEES INC wrote:
you would be better off writing insurance and collecting a premiums,
and if something does happen the payout could go to covering costs of
patching and recovery. i'm pretty sure ive read of something like this
being already available.


IANA financial analyst, but...

Futures typically only work as a hedge for commodities, where quality is a constant and the supply-demand relationship is the only variable. Because the quality of vulnerabilities vary so widely, it would be hard to create a futures market around them.

However, wine futures might be a good model to base this one. Wine futures typically are sold after the wine is casked, but before it is bottled. So you have some knowledge of the potential quality of the wine, but not of the finished product. I could imagine that trusted groups of researchers could indicate that they are working on finding vulnerabilities in a certain product and had found several of undetermined quality. They could sell the results on the open market, a few months to a few years before their research is finished.

Of course, there are plenty of caveats to this analogy:
1) Wine is atoms, vulns are bits.
2) The researchers would have to take care or their sale could be (or at least appear to be) extortion. 3) You could argue that there is generally only one legitimate buyer -- the developer whose software you are auditing -- for the product, severely limiting the market.

Likely, this would only work on the underground market, because of the point 3. In the legitimate market, the model would default to the "pay for a trusted auditor to audit your software" deal that is already in existence.

-R

| robert lemos | mail () robertlemos com | twit: rlemos_security |
| managing editor | securityfocus | www.securityfocus.com |
| technology journalist | http://www.robertlemos.com |



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]