Feeds

Bug brokers offering higher bounties

Buyers locking up flaws to increase their shelf life?

Beginner's guide to SSL certificates

Some smaller firms have hit on ways to better profit from vulnerability information.

While 3Com's and VeriSign's well-known vulnerability purchasing programs have legitimized the trade in security research, smaller boutique firms that cater to penetration testers or that have high-value vulnerability disclosure lists could become significant competitors.

Buenos Aires-based Argeniss Information Security, for example, pays only for a small number of critical vulnerabilities. The company adds the information to its Ultimate 0-day Exploits Pack, an add-on set of attacks for the popular penetration testing tool, CANVAS. A 0-day exploit in Microsoft's Internet Explorer or Outlook can bring in a dozen new customers in a day, Cesar Cerrudo, founder and CEO of the Argeniss, told SecurityFocus in an e-mail interview

"For sure, we will pay more than iDefense," Cerrudo said. "Anyone will pay more than iDefense."

The nascent marketplace for vulnerabilities could suffer a shakeup if companies such as Argeniss and Netragard keep up the price pressures.

In 2002, security firm iDefense - now part of Internet giant VeriSign - kicked off its Vulnerability Contributor Program (VCP), offering thousands of dollars for security vulnerabilities. While the program grew quickly, unveiling 150 vulnerabilities in 2005 including 11 flaws in Microsoft software, the number of vulnerabilities outed by the program declined in 2006. The company only published 81 advisories in 2006 for flaws found by VCP researchers, only four of which were in Microsoft software (corrected). Earlier this month, the company offered $8,000 for the first six Windows Vista or Internet Explorer 7 vulnerabilities exclusively sold to its program.

The Zero-Day Initiative started at TippingPoint, now a division of networking giant 3Com, had strong growth in 2006. The program, started in July 2005, only released advisories for 3 flaws that year, but published information on 54 vulnerabilities - including 13 in Microsoft software - in 2006. The company does not publish the prices it pays for vulnerability information, but aims to compete directly against iDefense.

"To date, we have not lost out to iDefense on any offer," said Forslof. "We have people that have shopped around and they have always gone with us in the end."

iDefense did not make a spokesperson available for comment on its Vulnerability Contributor Program. However, a former iDefense manager believes that the industry still has room for more competitors.

"The vulnerability industry, in general, is still an immature industry," said Michael Sutton, the former director of iDefense Labs and current security evangelist for SPI Dynamics. "I think there is enough volume for at least a half dozen different players."

If the efforts of Microsoft and other major software vendors reduce the number of critical flaws, security researchers stand to gain from competition between buyers, Sutton said. Relying on selling vulnerability information could pay the rent, he said.

"You would be hard pressed to find someone who relies solely on the income from vulnerability research," Sutton said. "But the prices are getting high enough that, depending on where you lived and how good of a researcher you were, you could make a living."

CORRECTION: The article undercounted the number of Microsoft issues found by researchers participating in VeriSign's Vulnerability Contributor Program (VCP) in 2006. The program's contributors found four issues in Microsoft software.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

Internet Security Threat Report 2014

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Choosing a cloud hosting partner with confidence
Download Choosing a Cloud Hosting Provider with Confidence to learn more about cloud computing - the new opportunities and new security challenges.