Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Site Aims To Be iTunes For Exploits

Posted by Soulskill on from the bet-they-won't-cost-99-cents dept.

Trailrunner7 writes "It's been tried before, but NSS Labs founder Rick Moy says his company's new Exploit Hub — a store front for exploit code — can work. In an interview, he explains why the current market for exploits doesn't work for the good guys, and why zero-day exploits don't help anyone. Above-board markets for software vulnerabilities have been around for close to a decade, but previous efforts to market exploits have had mixed results. The business of selling exploits versus vulnerabilities is fraught with danger, and organizations like WabiSabiLabi have operated eBay-style marketplaces for zero-day exploits for years, but haven't seen exploit writers beating a path to their door. The need for an above-board marketplace that can compete with the black market surely exists, but getting it to work is another matter entirely."

5 of 55 comments (clear)

  1. Moy didn't say "iTunes" by BadAnalogyGuy · · Score: 5, Informative

    He compared his company to "Craigslist", not "iTunes".

    I'm not sure that's the image you'd want to project for your company, but I'm not that guy.

  2. Re:What the hell by mea37 · · Score: 4, Interesting

    RTFA. Or educate yourself generally on how the IT security industry operates. Either way works.

  3. Re:What the hell by clone53421 · · Score: 4, Interesting

    The people who wrote the software in the first place. They want to produce software that isn’t buggy and exploitable, and the only way to find exploitable bugs is to be actively looking for them and to be good at exploiting them.

    They need good software crackers (in both senses of the word: skilled and working for them) working on betas to find vulnerabilities in the software so that the vulnerabilities can be fixed before the alpha of the software is released.

    Note that it specifically says that they won’t be dealing with 0-day exploits (critical exploits in existing, already-released software products). They want to find these before they release, and to do that, they have to hire crackers.

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  4. Re:What the hell by WCguru42 · · Score: 4, Insightful

    charging a company money for information you have on security holes in their software doesn't sound "above board" to me in the least.

    And not earning anything for your work does? If I help you fix your broken program I'm within my rights to ask for compensation. Now, threatening to release and abuse it if you don't pay isn't so ethical.

    --
    "Educate the mind but never at the expense of the soul."~Blessed Basil Moreau
  5. Re:What the hell by stephanruby · · Score: 4, Informative

    Charging money for software you created 'with your own labor' is generally bad.

    No. Open source doesn't mean free. It never did. RMS, the GPL, they all say that you can charge for your work. Do I really need to find the citation for this? Or are you just pulling my leg?