Feeds

Bug brokers offering higher bounties

Buyers locking up flaws to increase their shelf life?

Securing Web Applications Made Simple and Scalable

Some smaller firms have hit on ways to better profit from vulnerability information.

While 3Com's and VeriSign's well-known vulnerability purchasing programs have legitimized the trade in security research, smaller boutique firms that cater to penetration testers or that have high-value vulnerability disclosure lists could become significant competitors.

Buenos Aires-based Argeniss Information Security, for example, pays only for a small number of critical vulnerabilities. The company adds the information to its Ultimate 0-day Exploits Pack, an add-on set of attacks for the popular penetration testing tool, CANVAS. A 0-day exploit in Microsoft's Internet Explorer or Outlook can bring in a dozen new customers in a day, Cesar Cerrudo, founder and CEO of the Argeniss, told SecurityFocus in an e-mail interview

"For sure, we will pay more than iDefense," Cerrudo said. "Anyone will pay more than iDefense."

The nascent marketplace for vulnerabilities could suffer a shakeup if companies such as Argeniss and Netragard keep up the price pressures.

In 2002, security firm iDefense - now part of Internet giant VeriSign - kicked off its Vulnerability Contributor Program (VCP), offering thousands of dollars for security vulnerabilities. While the program grew quickly, unveiling 150 vulnerabilities in 2005 including 11 flaws in Microsoft software, the number of vulnerabilities outed by the program declined in 2006. The company only published 81 advisories in 2006 for flaws found by VCP researchers, only four of which were in Microsoft software (corrected). Earlier this month, the company offered $8,000 for the first six Windows Vista or Internet Explorer 7 vulnerabilities exclusively sold to its program.

The Zero-Day Initiative started at TippingPoint, now a division of networking giant 3Com, had strong growth in 2006. The program, started in July 2005, only released advisories for 3 flaws that year, but published information on 54 vulnerabilities - including 13 in Microsoft software - in 2006. The company does not publish the prices it pays for vulnerability information, but aims to compete directly against iDefense.

"To date, we have not lost out to iDefense on any offer," said Forslof. "We have people that have shopped around and they have always gone with us in the end."

iDefense did not make a spokesperson available for comment on its Vulnerability Contributor Program. However, a former iDefense manager believes that the industry still has room for more competitors.

"The vulnerability industry, in general, is still an immature industry," said Michael Sutton, the former director of iDefense Labs and current security evangelist for SPI Dynamics. "I think there is enough volume for at least a half dozen different players."

If the efforts of Microsoft and other major software vendors reduce the number of critical flaws, security researchers stand to gain from competition between buyers, Sutton said. Relying on selling vulnerability information could pay the rent, he said.

"You would be hard pressed to find someone who relies solely on the income from vulnerability research," Sutton said. "But the prices are getting high enough that, depending on where you lived and how good of a researcher you were, you could make a living."

CORRECTION: The article undercounted the number of Microsoft issues found by researchers participating in VeriSign's Vulnerability Contributor Program (VCP) in 2006. The program's contributors found four issues in Microsoft software.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.