Would a Malware BuyBack Program Work?

I just read a story about how successful L.A.'s gun buyback program has been and it reminded me about a suggestion that was made at our Boston Suits and Spooks event - that a buyback program might be successful in reducing the amount of malware in circulation. Most malware writers just want to be paid for their research; something that isn't happening frequently enough or at a rate that's considered fair by the researchers. As a result, some of those researchers are exploring grey markets in offensive malware development or are selling 0-days to clients as a form of threat intelligence, or both.

Imagine how much malware the U.S. government could buy for the price of one F-35 ($600 million per jet). And the intelligence gleaned from a forensics review of all that malware would be priceless. Certain precautions would have to be built in to the program to reduce fraud or recompiling malicious code to create slightly different versions for sale, etc., but I think it's worth at least a pilot program to gauge its effectiveness.

Comments