Bugs in the System: A Primer on the Software Vulnerability Ecosystem and its Policy Implications

Citation
Andi Wilson, Ross Schulman, Kevin Bankston & Trey Herr, Bugs in the System: A Primer on the Software Vulnerability Ecosystem and its Policy Implications (July 28, 2016) (full-text).

Overview
This report offers five initial policy recommendations to ensure that more vulnerabilities are discovered and patched sooner: (1) The U.S. government should minimize its participation in the vulnerability market, because it is the largest buyer in a market that discourages researchers from disclosing vulnerabilities to be patched; (2) The U.S. government should establish strong, clear procedures for government disclosure of the vulnerabilities it buys or discovers, with a heavy presumption toward disclosure; (3) Congress should establish clear rules of the road for government hacking to better protect cybersecurity and civil liberties; (4) Government and industry should support bug bounty programs as an alternative to the vulnerabilities market and investigate other innovative ways to foster the disclosure and prompt patching of vulnerabilities; and (5) Congress should reform computer crime and copyright laws, and agencies should modify their application of such laws to reduce the legal chill on legitimate security research.