cyber warranties

Fixing the lemons market?

This page celebrates the InfoSec vendors who voluntarily offer cyber warranties.

Company nameProduct name Announced Coverage limitT&CSecurity condition
AsTechParagon Security Program2017$5mNoonly covers approved vulnerabilities
CymmetriaMazeRunner2019 min($1m, 2xsubscription fee)Nomust install, deploy, operate, repair, maintain or update in accordance with the instructions supplied
CrowdStrikeFalconComplete 2018 $1mNomust be configured with recommended protection posture
CybereasonUltimate package 2020 $1mNo?
MyDigitalShieldNetwork Threat Protection Lite?$10k Yes must maintain appropriate computer and internet security.
MyDigitalShieldNetwork Threat Protection Standard& and Pro?$50kYes must maintain appropriate computer and internet security.
SentinelOnemalware protection solutions 2016 $1k per end point $1m per companyYesmust be configured in accordance with the Documentation
WhiteHatSecurity ? 2014$250kNo?
WhiteHatSecurity ? 2014$500kNo?

I believe that cyber warranties could align incentives so that InfoSec vendors build more effective products. The following video sketches out the argument (and embarrassing over production):

Those who prefer the written word can read our article written for a general audience.

In a paragraph, we argue that offering a cyber warranty imposes relatively more cost on vendors who build insecure products. Such vendors’ customers would be breached more frequently due to the ineffective product and so would claim indemnity payments under the warranty more frequently. Thus, vendors of ineffective products would face higher costs. However, this only works if: (a) all vendors offer a warranty; (b) warranties cover a meaningful fraction of losses resulting from ineffective products; and (c) the warranties do not contain weasel clauses.