Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Go Broke Selling Zero-Day Exploits

Posted by Soulskill on from the supply-and-demand dept.

Trailrunner7 writes "Despite all of the hand-wringing and moral posturing about the public sale of security vulnerabilities, it turns out that not many people are buying or selling vulns, and the ones who are aren't making much money at it. A new survey of security researchers who sell vulnerabilities either publicly or in private, directed sales found that the vast majority of the flaws sell for less than $5,000. Almost none of them sell for much more than $10,000. At those prices, there's little chance that this is going to turn into the chaotic Wild West marketplace that some people predicted. It's a small, mostly controlled market that isn't making anyone rich."

6 of 66 comments (clear)

  1. Missing component: trust in the seller by Anonymous Coward · · Score: 5, Insightful

    Right now there's no way to have much confidence that you're actually getting what you're paying for. If the exploit doesn't work, what recourse do you have? This is a pretty common element in any underworld economy, but is exacerbated by the Internet's anonymity and the newness/smallness of this particular market.

    The bad news is, other underworld markets eventually overcame this problem.

  2. Re:(shrug) My computer is disposable. by SomeJoel · · Score: 5, Insightful

    In the unlikely event I get a computer-killing virus, trojan, or exploit (hasn't happened since 1985), I figure I'll just trash the thing and buy another one for $300-400. Computers have become disposable just like other appliances.

    It's not the computer that has value, it's your data.

    --
    <Complete your profile by adding a signature!>
  3. The ones getting rich... by ShaunC · · Score: 5, Interesting

    ...are the ones who aren't selling the exploits they find.

    --
    Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  4. Well, duh. by selven · · Score: 5, Funny

    Guy: Hi, I have a security vulnerability, I'll tell you the details for $10k.

    Software Company: Ok, show us the vulnerability.

    Guy: Ok, I'll come over and demonstrate on my computer.

    Software Company: Oh no, not on your computer, you could have set your computer up to be vulnerable. Do it to our computer, so we know you're not tricking us.

    Guy: Ok, fine (launches attack on company computer)

    Security Researcher A: Ok, the attack's coming in. Let's see what it's doing.

    Security Researcher B: Ok, looks like a buffer overflow in the third step of the authentication process. Let's go tell our developers.

    Guy: Guess what, it worked. Looks like I'm not tricking you after all. So, will you buy the vulnerability from me for the $10k we agreed on now?

    Guy: ...

    Guy: Guys?

  5. Re:"You're doing it wrong." by Yuan-Lung · · Score: 5, Funny

    "Selling vulnerabilities == little money"

    Are you sure about that?

    I know of a certain company in Redmond that sold vulnerabilities in bulk packages. They seem to be doing alright.

  6. Re:"You're doing it wrong." by _Sprocket_ · · Score: 5, Funny

    I know of a certain company in Redmond that sold vulnerabilities in bulk packages. They seem to be doing alright.

    They didn't sell vulnerabilities. Those were features - added at no additional cost. Loss-leaders, if you will.