mailing list archives
Re: Faster, smashter. (fwd)
From: Robert Lemos <lists () robertlemos com>
Date: Wed, 10 Dec 2008 09:29:57 -0500
On Dec 10, 2008, at 1:27 AM, BEES INC wrote:
you would be better off writing insurance and collecting a premiums,
and if something does happen the payout could go to covering costs of
patching and recovery. i'm pretty sure ive read of something like this
being already available.
IANA financial analyst, but...
Futures typically only work as a hedge for commodities, where quality
is a constant and the supply-demand relationship is the only variable.
Because the quality of vulnerabilities vary so widely, it would be
hard to create a futures market around them.
However, wine futures might be a good model to base this one. Wine
futures typically are sold after the wine is casked, but before it is
bottled. So you have some knowledge of the potential quality of the
wine, but not of the finished product. I could imagine that trusted
groups of researchers could indicate that they are working on finding
vulnerabilities in a certain product and had found several of
undetermined quality. They could sell the results on the open market,
a few months to a few years before their research is finished.
Of course, there are plenty of caveats to this analogy:
1) Wine is atoms, vulns are bits.
2) The researchers would have to take care or their sale could be (or
at least appear to be) extortion.
3) You could argue that there is generally only one legitimate buyer
-- the developer whose software you are auditing -- for the product,
severely limiting the market.
Likely, this would only work on the underground market, because of the
point 3. In the legitimate market, the model would default to the "pay
for a trusted auditor to audit your software" deal that is already in
| robert lemos | mail () robertlemos com | twit: rlemos_security |
| managing editor | securityfocus | www.securityfocus.com |
| technology journalist | http://www.robertlemos.com |
Dailydave mailing list
Dailydave () lists immunitysec com
Re: Faster, smashter. (fwd) sinan . eren (Dec 11)
Re: Faster, smashter. (fwd) Robert Lemos (Dec 12)
Re: Faster, smashter. (fwd) Thorsten Holz (Dec 10)