Online Circus

Saturday, December 24, 2005

Pricing Software Vulnerabilities

Two weeks ago, a person going by the nickname "fearwall" tried to auction a flaw in Excel on eBay, the auction was pulled shortly afterwards (article, screenshot).
It appears that after fearwall reported this Excel-crashing flaw to Microsoft he decided to see how much money he could sell it for.
Currently, it's hard for freelance security researchers to receive monetary compensation for their time. The ones that can actually profit from researching vulnerabilities are the bad guys. Exploiting such a security vulnerability to take control over world-wide machines translates immediately to an easy income as these machines are used to steal bank accounts, spam and advertisements (more information here). As Microsoft and other software companies are somehow not liable for these acts of exploitation, besides the bad publicity behind it, their incentive to research these security holes before launching a new application is not very large.
On the other hand more ethical options for researchers looking to sell vulnerabilities do exist - The iDefense Vulnerability Contributor Program and the 3Com Zero Day Initiative pay anywhere between $100 to $1,000 for a vulnerability.


Post a Comment

Links to this post:

Create a Link

<< Home