Thursday, July 12, 2007
Vulnerability Auction Services
Lately, it seems, Vulnerability auctions are capturing a lot of news. As a researcher, I'm not quite sure how I feel about them. There are a lot of items to consider. In the past I've been involved with ZDI, iDefense and others with regards to vulnerabilities being sold. Vendor based solutions generally handle the responsible disclosure aspect of the issue, including dealing with the vulnerable vendor. In an auction based scenario, the seller may not have the opportunity to understand who may be purchaing his or her vulnerability. For some researchers knowing the endpoint of the vulnerability may not be an issue. For others ethics may play a part. It's really an interesting area.. what are the thoughts of the crew out there?
Subscribe to:
Post Comments (Atom)
3 comments:
One of the issues i see with vulnerability auctions is to accurately list a vulnerability one has to put a lot of information about the bug in the advert. This could lead to not only the bug being discovered independently but also a significant drop in value. Take for instance the squirrelmail gpg plug in bug that was posted after being up there tons of other bugs in that same code were found by researchers and released to the public the chances are one of those was the bug that was being sold and is now worth far less than the buyer is going to pay.
just my .02
ri0t
Dear,
I'm Juergen Marester. I'm seeling 0day lets see : http://seclists.org/fulldisclosure/2007/Aug/0364.html
I will be happy to work with you, please contact me buy mail marester.juergen@gmail.com
It's alot easier to use a company like 0Day Exchange (www.0dayexchange.com) as they have been around for a couple of years and probably will get you a better offer on your work.
Post a Comment