|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Robert Lemos (lists
robertlemos.com)
Date: Wed Dec 10 2008 - 08:29:57 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Dec 10, 2008, at 1:27 AM, BEES INC wrote:
> you would be better off writing insurance and collecting a premiums,
> and if something does happen the payout could go to covering costs of
> patching and recovery. i'm pretty sure ive read of something like this
> being already available.
IANA financial analyst, but...
Futures typically only work as a hedge for commodities, where quality
is a constant and the supply-demand relationship is the only variable.
Because the quality of vulnerabilities vary so widely, it would be
hard to create a futures market around them.
However, wine futures might be a good model to base this one. Wine
futures typically are sold after the wine is casked, but before it is
bottled. So you have some knowledge of the potential quality of the
wine, but not of the finished product. I could imagine that trusted
groups of researchers could indicate that they are working on finding
vulnerabilities in a certain product and had found several of
undetermined quality. They could sell the results on the open market,
a few months to a few years before their research is finished.
Of course, there are plenty of caveats to this analogy:
1) Wine is atoms, vulns are bits.
2) The researchers would have to take care or their sale could be (or
at least appear to be) extortion.
3) You could argue that there is generally only one legitimate buyer
-- the developer whose software you are auditing -- for the product,
severely limiting the market.
Likely, this would only work on the underground market, because of the
point 3. In the legitimate market, the model would default to the "pay
for a trusted auditor to audit your software" deal that is already in
existence.
-R
| robert lemos | mailrobertlemos.com | twit: rlemos_security |
| managing editor | securityfocus | www.securityfocus.com |
| technology journalist | http://www.robertlemos.com |
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]