Thursday, July 12, 2007

Sell "your" eXploit

Recently there are alot of "talking" on selling vulnerability information or Zero-day exploit. It was likely due to the newly opened online auction website that allows security researchers to
sell their finding.

This "eBay" for security research, by a Swiss-registered company WSLabi, claiming to allow researchers to get a fair "market" price and also to prevent those exploits being sold to cybercriminals.

Now there is a more "legal" way to sell the security finding. Previously, to sell a zero-day exploit, contacts to find a "good" and "reliable" buyer is important. Many times, the patched may already be announced before your deal could get through.

Some estimated "market" rate for exploits
- Exploit values between USD$500 - $200,000

- H.D. Moore (Metasploit founder) was offered USD$60,000 and $120,000 for IE vulnerability.

- Desautels (co-founder of SNOSoft) claims that an exploit can fetch more than USD$75,000 in Bugtraq or Disclosure Mailing list.

- Product Vendor such as 3Com, VeriSign and Trend Micro are offering between USD$5,000 to $50,000

- Mozilla Security Bug Bounty Program offers USD$500 and a T-shirt.
(http://www.mozilla.org/security/bug-bounty.html)


So there is an ethical issue here, buyer that are non-vendor tends to be paying much higher for the exploit. These buyer (likely to be from Government agencies or Cybercriminals) are not likely to report it to the product vendor as they will need to re-coup the tens of thousands dollars spent before their exploit "expired".

So what you waiting for, start "whacking" your system and see if you can find any "treasure" to sell. Another part-time business or/and to make your first million.

No comments: