Progress in market approaches to software vulnerability disclosure?
In A Comparison of Market Approaches to Software Vulnerability Disclosure (2006), Rainer Böhme describes the profound role of economic "market failure" in the industry dynamics that hinder software security. He also describes 4 kinds of markets that can help:
- Bug challenges, like payments by Mozilla and Google for security bugs
- Vulnerability brokers, aka “vulnerability sharing circles”, e.g. CERT or iDefense
- Exploit derivatives, an application of binary markets to security events
- Cyber-insurance
The latter two seem to be the most promising. Have either of these ideas matured since then, and are they available anywhere?
See also
Exploit Derivatives & National Security - Micah Schwalb - 9 YALE J. L. & TECH. 162 (2007)
Which companies facilitate payment in return for vulnerability disclosure?
Update:
- New index a step to trading IT security risks - CRN Australia which talks about the Index of Cyber Security
Update 2: I just ran across Tyler Moore's paper on misaligned incentives and information asymmetries, and getting ISPs to take more responsibility: Introducing the Economics of Cybersecurity: Principles and Policy Options (pdf) National Academies Press, 2010