How To Go Broke Selling Zero-Day Exploits

← Back to Stories (view on slashdot.org)

How To Go Broke Selling Zero-Day Exploits

Posted by Soulskill on Friday May 21, 2010 @10:11AM from the supply-and-demand dept.

Trailrunner7 writes "Despite all of the hand-wringing and moral posturing about the public sale of security vulnerabilities, it turns out that not many people are buying or selling vulns, and the ones who are aren't making much money at it. A new survey of security researchers who sell vulnerabilities either publicly or in private, directed sales found that the vast majority of the flaws sell for less than $5,000. Almost none of them sell for much more than $10,000. At those prices, there's little chance that this is going to turn into the chaotic Wild West marketplace that some people predicted. It's a small, mostly controlled market that isn't making anyone rich."

7 of 66 comments (clear)

Min score:

Reason:

Sort:

Well, duh. by selven · 2010-05-21 10:30 · Score: 5, Funny

Guy: Hi, I have a security vulnerability, I'll tell you the details for $10k.
Software Company: Ok, show us the vulnerability.
Guy: Ok, I'll come over and demonstrate on my computer.
Software Company: Oh no, not on your computer, you could have set your computer up to be vulnerable. Do it to our computer, so we know you're not tricking us.
Guy: Ok, fine (launches attack on company computer)
Security Researcher A: Ok, the attack's coming in. Let's see what it's doing.
Security Researcher B: Ok, looks like a buffer overflow in the third step of the authentication process. Let's go tell our developers.
Guy: Guess what, it worked. Looks like I'm not tricking you after all. So, will you buy the vulnerability from me for the $10k we agreed on now?
Guy: ...
Guy: Guys?
Re:"You're doing it wrong." by Yuan-Lung · 2010-05-21 10:38 · Score: 5, Funny

"Selling vulnerabilities == little money"

Are you sure about that?

I know of a certain company in Redmond that sold vulnerabilities in bulk packages. They seem to be doing alright.
Re:"...it's a small, mostly controlled market..." by Mindcontrolled · 2010-05-21 10:38 · Score: 3, Funny

"I am a teabagging moron" would have been shorter. Why waste your energy on typing all that exclamation marks?

--
Ubi solitudinem faciunt, pacem appellant.
Re:"You're doing it wrong." by _Sprocket_ · 2010-05-21 11:03 · Score: 5, Funny

I know of a certain company in Redmond that sold vulnerabilities in bulk packages. They seem to be doing alright.
They didn't sell vulnerabilities. Those were features - added at no additional cost. Loss-leaders, if you will.
Don't worry by Anonymous Coward · 2010-05-21 12:04 · Score: 3, Funny

Neither did the mods. :)
Re:"You're doing it wrong." by _Sprocket_ · 2010-05-21 15:35 · Score: 3, Funny

They're not features until they get documented.
Wait... they're easter eggs?
Re:"You're doing it wrong." by The+Grim+Reefer2 · 2010-05-21 16:34 · Score: 2, Funny

They're not features until they get documented.
Wait... they're easter eggs?
Exactly.