How To Go Broke Selling Zero-Day Exploits

← Back to Stories (view on slashdot.org)

How To Go Broke Selling Zero-Day Exploits

Posted by Soulskill on Friday May 21, 2010 @10:11AM from the supply-and-demand dept.

Trailrunner7 writes "Despite all of the hand-wringing and moral posturing about the public sale of security vulnerabilities, it turns out that not many people are buying or selling vulns, and the ones who are aren't making much money at it. A new survey of security researchers who sell vulnerabilities either publicly or in private, directed sales found that the vast majority of the flaws sell for less than $5,000. Almost none of them sell for much more than $10,000. At those prices, there's little chance that this is going to turn into the chaotic Wild West marketplace that some people predicted. It's a small, mostly controlled market that isn't making anyone rich."

9 of 66 comments (clear)

Min score:

Reason:

Sort:

"...it's a small, mostly controlled market..." by John+Hasler · 2010-05-21 10:21 · Score: 1, Funny

But, but, it's an unregulated market!!! Evil, evil, evil!!! Soon there will be derivatives!!! And speculators!!! And high-frequency trading!!! The economies of nations will destroyed if this is not brought under government control now!!! (and taxed, of course)

--
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
1. Re:"...it's a small, mostly controlled market..." by Mindcontrolled · 2010-05-21 10:38 · Score: 3, Funny
  
  "I am a teabagging moron" would have been shorter. Why waste your energy on typing all that exclamation marks?
  
  --
  Ubi solitudinem faciunt, pacem appellant.
Well, duh. by selven · 2010-05-21 10:30 · Score: 5, Funny

Guy: Hi, I have a security vulnerability, I'll tell you the details for $10k.
Software Company: Ok, show us the vulnerability.
Guy: Ok, I'll come over and demonstrate on my computer.
Software Company: Oh no, not on your computer, you could have set your computer up to be vulnerable. Do it to our computer, so we know you're not tricking us.
Guy: Ok, fine (launches attack on company computer)
Security Researcher A: Ok, the attack's coming in. Let's see what it's doing.
Security Researcher B: Ok, looks like a buffer overflow in the third step of the authentication process. Let's go tell our developers.
Guy: Guess what, it worked. Looks like I'm not tricking you after all. So, will you buy the vulnerability from me for the $10k we agreed on now?
Guy: ...
Guy: Guys?
Re:"You're doing it wrong." by Yuan-Lung · 2010-05-21 10:38 · Score: 5, Funny

"Selling vulnerabilities == little money"

Are you sure about that?

I know of a certain company in Redmond that sold vulnerabilities in bulk packages. They seem to be doing alright.
Re:"You're doing it wrong." by Anonymous Coward · 2010-05-21 10:50 · Score: 1, Funny

That's why they have to start selling exploits for MacOS. Most likely, those will be also overpriced, and with limited functionality that will require to spend more in libraries or "apps".

Maybe they will come up with the idea of the "Exploit Store" and a similar business model :)
Re:"You're doing it wrong." by _Sprocket_ · 2010-05-21 11:03 · Score: 5, Funny

I know of a certain company in Redmond that sold vulnerabilities in bulk packages. They seem to be doing alright.
They didn't sell vulnerabilities. Those were features - added at no additional cost. Loss-leaders, if you will.
Don't worry by Anonymous Coward · 2010-05-21 12:04 · Score: 3, Funny

Neither did the mods. :)
Re:"You're doing it wrong." by _Sprocket_ · 2010-05-21 15:35 · Score: 3, Funny

They're not features until they get documented.
Wait... they're easter eggs?
Re:"You're doing it wrong." by The+Grim+Reefer2 · 2010-05-21 16:34 · Score: 2, Funny

They're not features until they get documented.
Wait... they're easter eggs?
Exactly.