Bug brokers offering higher bounties
Buyers locking up flaws to increase their shelf life?
Some smaller firms have hit on ways to better profit from vulnerability information.
While 3Com's and VeriSign's well-known vulnerability purchasing programs have legitimized the trade in security research, smaller boutique firms that cater to penetration testers or that have high-value vulnerability disclosure lists could become significant competitors.
Buenos Aires-based Argeniss Information Security, for example, pays only for a small number of critical vulnerabilities. The company adds the information to its Ultimate 0-day Exploits Pack, an add-on set of attacks for the popular penetration testing tool, CANVAS. A 0-day exploit in Microsoft's Internet Explorer or Outlook can bring in a dozen new customers in a day, Cesar Cerrudo, founder and CEO of the Argeniss, told SecurityFocus in an e-mail interview
"For sure, we will pay more than iDefense," Cerrudo said. "Anyone will pay more than iDefense."
The nascent marketplace for vulnerabilities could suffer a shakeup if companies such as Argeniss and Netragard keep up the price pressures.
In 2002, security firm iDefense - now part of Internet giant VeriSign - kicked off its Vulnerability Contributor Program (VCP), offering thousands of dollars for security vulnerabilities. While the program grew quickly, unveiling 150 vulnerabilities in 2005 including 11 flaws in Microsoft software, the number of vulnerabilities outed by the program declined in 2006. The company only published 81 advisories in 2006 for flaws found by VCP researchers, only four of which were in Microsoft software (corrected). Earlier this month, the company offered $8,000 for the first six Windows Vista or Internet Explorer 7 vulnerabilities exclusively sold to its program.
The Zero-Day Initiative started at TippingPoint, now a division of networking giant 3Com, had strong growth in 2006. The program, started in July 2005, only released advisories for 3 flaws that year, but published information on 54 vulnerabilities - including 13 in Microsoft software - in 2006. The company does not publish the prices it pays for vulnerability information, but aims to compete directly against iDefense.
"To date, we have not lost out to iDefense on any offer," said Forslof. "We have people that have shopped around and they have always gone with us in the end."
iDefense did not make a spokesperson available for comment on its Vulnerability Contributor Program. However, a former iDefense manager believes that the industry still has room for more competitors.
"The vulnerability industry, in general, is still an immature industry," said Michael Sutton, the former director of iDefense Labs and current security evangelist for SPI Dynamics. "I think there is enough volume for at least a half dozen different players."
If the efforts of Microsoft and other major software vendors reduce the number of critical flaws, security researchers stand to gain from competition between buyers, Sutton said. Relying on selling vulnerability information could pay the rent, he said.
"You would be hard pressed to find someone who relies solely on the income from vulnerability research," Sutton said. "But the prices are getting high enough that, depending on where you lived and how good of a researcher you were, you could make a living."
CORRECTION: The article undercounted the number of Microsoft issues found by researchers participating in VeriSign's Vulnerability Contributor Program (VCP) in 2006. The program's contributors found four issues in Microsoft software.
This article originally appeared in Security Focus.
Copyright © 2007, SecurityFocus