MemeStreams | MemeStreams Discussion

Create an Account

This page contains all of the posts and discussion on MemeStreams referencing the following web page: Researchers seek cash for software flaws - Yahoo! News. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.

Researchers seek cash for software flaws - Yahoo! News
by freakn at 3:59 pm EDT, Jul 23, 2007

Don't wanna give away vulns for free? Try auctioning to the newly formed market.

Charlie Miller, now the principal security analyst at Independent Security Evaluators, said the demands for payments stem from frustrations that vendors' in-house researchers "are making a lot of money to look for bugs and whenever someone from the outside finds something, they don't get paid anything."
Preatoni described his auction as a way for researchers to receive what their knowledge is truly worth, saying the security industry is currently built on top of research that is undervalued.

Although researchers historically have shared knowledge for free, "there's been a market that has naturally evolved where this information is power," said Ken Durham, director of the rapid response team with VeriSign-iDefense. "Our concern is people would start to turn to the dark side unless they had a responsible avenue."
Terri Forslof, who runs TippingPoint's Zero Day Initiative, said programs like hers can never pay as much as the black market, but most legitimate researchers are willing to accept smaller payments knowing the buyer would handle the information responsibly.

RE: Researchers seek cash for software flaws - Yahoo! News
by Decius at 6:47 pm EDT, Jul 23, 2007

freakn wrote:
Don't wanna give away vulns for free? Try auctioning to the newly formed market.

Try being the operative word. While WabiSabiLabi has gotten lots of press over the past few weeks, there are only 5 vulnerabilities there, four of which were there when I first heard about the site. Two have apparently been purchased. There has been a public effort to reverse engineer at least one of the bugs based soley on the title description. The problems are:

1. If you put something serious up for auction the security community would react immediately, and they may react by auditing instead of purchasing. A day of auditing costs less than $10,000.

2. You have to sell to the highest bidder, even if the highest bidder is Osama Bin Lauden. This takes all of the ethics out of the practice.

I think this has mostly just been an occaision for various people in the industry to express their views on more serious efforts such as those pursued by TippingPoint and iDefense. You can sell them bugs. WabiSabiLabi is not serious until its serious. In any event, I don't really think its possible to sustain one's self as a researcher on money made this way. If you find something, you might make some bucks off of it, but you aren't going to find enough on a regular basis to keep a roof over your head.