Selling zero-days……
Is it just me or is this growing into big business in the normal business world (ie; not black market)? Looking at the recent story Zero-day sales not “fair” — to researchers, highlights that once traditional work for the benefit of the community is being replaced with profit driven objectives and ultimately profit driven research. This is just one of many examples you’ll now find in the news frequently in recent times.
The sale of vulnerabilities flys in the face of what we do as an organisation, but what does it ultimately mean to the industry, security and business risks as a whole? Early days, but do the sums based upon the dollars talked about in the article…..even the lower end of dollars quoted makes it attractive.
Big question then is; where does the sale cross from legal to questionable…where are the boundaries…..or are they already blurred?
Related recent posts…..are we talking things that differ that much?
http://beastorbuddha.blogspot.com/2007/05/cyber-crimemore-than-just-small-gangs.html
http://beastorbuddha.blogspot.com/2007/05/auscert-2007.html
June 4th, 2007 at 9:56 pm
Hello,
This is Stas.
I think that “responsible disclosure” and “is it OK to buy vulnerabilities” discussion is getting irrelevant these days.
Black market on vulnerabilities exists for some time. Dark side is buying, selling and using it.
We have seen several cases when vulnerabilities were discovered by reverse engineering malware.
So if there is no legal market for 0-days then a lot of people could face a choice between good money from questionable buyer or no money plus possible conflict with the vendor. We cannot expect people to hold on in such situations.
And if legal market exists than it has to compete with black market price wise.
World is changing, capitalism is taking over security research.