Almost no one has registered as a subscriber, and now RTFA is getting repeated registrations from a big Polish cellphone provider. I’m not aware of a current wordpress vulnerability, but all the same, I think I will close off subscriber registration.

I really appreciate the subscriptions, so please use the “subscribe” link at the top of the page to grab the RSS feed. Thanks! Sorry if this is an inconvenience for anyone…

RTFA: http://www.securityfocus.com/columnists/470

Even the clumsy, rudimentary risk pricing using Annualized Loss Expectancy (ALE) that estimates the projected cost of recovery using the number of likely occurrences makes worm defense worth hundreds of thousands of dollars for a bank, hospital or large enterprise. When the costs of recovery projected by risk models for IT security are compared with the amounts being paid for 0-day vulnerabilities, there is a big scary gap that shows one of the following:

1. according to the market prices for 0-day exploits, the security risk from 0-day vulnerabilities is vastly overestimated,
2. according to IT risk models, vulnerabilities are completely underpriced, or
3. most 0-day developers lack basic negotiation skills.

Totally wild concept: the damage from software vulnerabilities costs dramatically more than the labor that uncovers those vulns. Therefore, should undisclosed vulns sell for more?