Feeds

Bug brokers offering higher bounties

Buyers locking up flaws to increase their shelf life?

Secure remote control for conventional and virtual desktops

Some smaller firms have hit on ways to better profit from vulnerability information.

While 3Com's and VeriSign's well-known vulnerability purchasing programs have legitimized the trade in security research, smaller boutique firms that cater to penetration testers or that have high-value vulnerability disclosure lists could become significant competitors.

Buenos Aires-based Argeniss Information Security, for example, pays only for a small number of critical vulnerabilities. The company adds the information to its Ultimate 0-day Exploits Pack, an add-on set of attacks for the popular penetration testing tool, CANVAS. A 0-day exploit in Microsoft's Internet Explorer or Outlook can bring in a dozen new customers in a day, Cesar Cerrudo, founder and CEO of the Argeniss, told SecurityFocus in an e-mail interview

"For sure, we will pay more than iDefense," Cerrudo said. "Anyone will pay more than iDefense."

The nascent marketplace for vulnerabilities could suffer a shakeup if companies such as Argeniss and Netragard keep up the price pressures.

In 2002, security firm iDefense - now part of Internet giant VeriSign - kicked off its Vulnerability Contributor Program (VCP), offering thousands of dollars for security vulnerabilities. While the program grew quickly, unveiling 150 vulnerabilities in 2005 including 11 flaws in Microsoft software, the number of vulnerabilities outed by the program declined in 2006. The company only published 81 advisories in 2006 for flaws found by VCP researchers, only four of which were in Microsoft software (corrected). Earlier this month, the company offered $8,000 for the first six Windows Vista or Internet Explorer 7 vulnerabilities exclusively sold to its program.

The Zero-Day Initiative started at TippingPoint, now a division of networking giant 3Com, had strong growth in 2006. The program, started in July 2005, only released advisories for 3 flaws that year, but published information on 54 vulnerabilities - including 13 in Microsoft software - in 2006. The company does not publish the prices it pays for vulnerability information, but aims to compete directly against iDefense.

"To date, we have not lost out to iDefense on any offer," said Forslof. "We have people that have shopped around and they have always gone with us in the end."

iDefense did not make a spokesperson available for comment on its Vulnerability Contributor Program. However, a former iDefense manager believes that the industry still has room for more competitors.

"The vulnerability industry, in general, is still an immature industry," said Michael Sutton, the former director of iDefense Labs and current security evangelist for SPI Dynamics. "I think there is enough volume for at least a half dozen different players."

If the efforts of Microsoft and other major software vendors reduce the number of critical flaws, security researchers stand to gain from competition between buyers, Sutton said. Relying on selling vulnerability information could pay the rent, he said.

"You would be hard pressed to find someone who relies solely on the income from vulnerability research," Sutton said. "But the prices are getting high enough that, depending on where you lived and how good of a researcher you were, you could make a living."

CORRECTION: The article undercounted the number of Microsoft issues found by researchers participating in VeriSign's Vulnerability Contributor Program (VCP) in 2006. The program's contributors found four issues in Microsoft software.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

Beginner's guide to SSL certificates

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Internet Security Threat Report 2014
An overview and analysis of the year in global threat activity: identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.