How To Go Broke Selling Zero-Day Exploits 66
Trailrunner7 writes "Despite all of the hand-wringing and moral posturing about the public sale of security vulnerabilities, it turns out that not many people are buying or selling vulns, and the ones who are aren't making much money at it. A new survey of security researchers who sell vulnerabilities either publicly or in private, directed sales found that the vast majority of the flaws sell for less than $5,000. Almost none of them sell for much more than $10,000. At those prices, there's little chance that this is going to turn into the chaotic Wild West marketplace that some people predicted. It's a small, mostly controlled market that isn't making anyone rich."
"...it's a small, mostly controlled market..." (Score:1, Funny)
Well, duh. (Score:5, Funny)
Guy: Hi, I have a security vulnerability, I'll tell you the details for $10k.
Software Company: Ok, show us the vulnerability.
Guy: Ok, I'll come over and demonstrate on my computer.
Software Company: Oh no, not on your computer, you could have set your computer up to be vulnerable. Do it to our computer, so we know you're not tricking us.
Guy: Ok, fine (launches attack on company computer)
Security Researcher A: Ok, the attack's coming in. Let's see what it's doing.
Security Researcher B: Ok, looks like a buffer overflow in the third step of the authentication process. Let's go tell our developers.
Guy: Guess what, it worked. Looks like I'm not tricking you after all. So, will you buy the vulnerability from me for the $10k we agreed on now?
Guy: ...
Guy: Guys?
Re:"You're doing it wrong." (Score:5, Funny)
Are you sure about that?
I know of a certain company in Redmond that sold vulnerabilities in bulk packages. They seem to be doing alright.
Re:"...it's a small, mostly controlled market..." (Score:4, Funny)
Re:"You're doing it wrong." (Score:1, Funny)
Maybe they will come up with the idea of the "Exploit Store" and a similar business model
Re:"You're doing it wrong." (Score:5, Funny)
I know of a certain company in Redmond that sold vulnerabilities in bulk packages. They seem to be doing alright.
They didn't sell vulnerabilities. Those were features - added at no additional cost. Loss-leaders, if you will.
Don't worry (Score:3, Funny)
Neither did the mods. :)
Re:"You're doing it wrong." (Score:4, Funny)
They're not features until they get documented.
Wait... they're easter eggs?
Re:"You're doing it wrong." (Score:3, Funny)
They're not features until they get documented.
Wait... they're easter eggs?
Exactly.