Dailydave mailing list archives

Re: Faster, smashter. (fwd)

From: Robert Lemos <lists () robertlemos com>
Date: Wed, 10 Dec 2008 09:29:57 -0500

On Dec 10, 2008, at 1:27 AM, BEES INC wrote:

you would be better off writing insurance and collecting a premiums,
and if something does happen the payout could go to covering costs of
patching and recovery. i'm pretty sure ive read of something like this
being already available.



IANA financial analyst, but...

Futures typically only work as a hedge for commodities, where qualityis a constant and the supply-demand relationship is the only variable.Because the quality of vulnerabilities vary so widely, it would behard to create a futures market around them.

However, wine futures might be a good model to base this one. Winefutures typically are sold after the wine is casked, but before it isbottled. So you have some knowledge of the potential quality of thewine, but not of the finished product. I could imagine that trustedgroups of researchers could indicate that they are working on findingvulnerabilities in a certain product and had found several ofundetermined quality. They could sell the results on the open market,a few months to a few years before their research is finished.


Of course, there are plenty of caveats to this analogy:
1) Wine is atoms, vulns are bits.

2) The researchers would have to take care or their sale could be (orat least appear to be) extortion.3) You could argue that there is generally only one legitimate buyer-- the developer whose software you are auditing -- for the product,severely limiting the market.

Likely, this would only work on the underground market, because of thepoint 3. In the legitimate market, the model would default to the "payfor a trusted auditor to audit your software" deal that is already inexistence.


-R

| robert lemos | mail () robertlemos com | twit: rlemos_security |
| managing editor | securityfocus | www.securityfocus.com |
| technology journalist | http://www.robertlemos.com |

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: Faster, smashter. (fwd) sinan . eren (Dec 09)
- Re: Faster, smashter. (fwd) security curmudgeon (Dec 09)
- Re: Faster, smashter. (fwd) BEES INC (Dec 10)
  - Re: Faster, smashter. (fwd) Jon Passki (Dec 10)
    - Re: Faster, smashter. (fwd) BEES INC (Dec 11)
    - Re: Faster, smashter. (fwd) Jon Passki (Dec 11)
    - Robert Seacord on the CERT C Secure Coding Standard Robert Seacord (Dec 16)
    - Message not available
    - Re: Robert Seacord on the CERT C Secure Coding Standard Robert Seacord (Dec 17)
  - Re: Faster, smashter. (fwd) sinan . eren (Dec 10)
    - Re: Faster, smashter. (fwd) Matthew Wollenweber (Dec 11)
  - Re: Faster, smashter. (fwd) Robert Lemos (Dec 11)
- Re: Faster, smashter. (fwd) Thorsten Holz (Dec 10)
  - Re: Faster, smashter. (fwd) Charles Miller (Dec 11)