Forgot your password?
Bug Businesses Security IT

New Site Aims To Be iTunes For Exploits 55

Posted by Soulskill
from the bet-they-won't-cost-99-cents dept.
Trailrunner7 writes "It's been tried before, but NSS Labs founder Rick Moy says his company's new Exploit Hub — a store front for exploit code — can work. In an interview, he explains why the current market for exploits doesn't work for the good guys, and why zero-day exploits don't help anyone. Above-board markets for software vulnerabilities have been around for close to a decade, but previous efforts to market exploits have had mixed results. The business of selling exploits versus vulnerabilities is fraught with danger, and organizations like WabiSabiLabi have operated eBay-style marketplaces for zero-day exploits for years, but haven't seen exploit writers beating a path to their door. The need for an above-board marketplace that can compete with the black market surely exists, but getting it to work is another matter entirely."
This discussion has been archived. No new comments can be posted.

New Site Aims To Be iTunes For Exploits

Comments Filter:
  • Re:What the hell (Score:5, Interesting)

    by mea37 (1201159) on Friday October 15, 2010 @12:52PM (#33910442)

    RTFA. Or educate yourself generally on how the IT security industry operates. Either way works.

  • by Anonymous Coward on Friday October 15, 2010 @12:56PM (#33910484)

    I'm not all that familiar with the MetaSploit Framework (which has been bought out) but don't things like this already exist...except they'!

  • Re:What the hell (Score:5, Interesting)

    by clone53421 (1310749) on Friday October 15, 2010 @12:57PM (#33910504) Journal

    The people who wrote the software in the first place. They want to produce software that isn’t buggy and exploitable, and the only way to find exploitable bugs is to be actively looking for them and to be good at exploiting them.

    They need good software crackers (in both senses of the word: skilled and working for them) working on betas to find vulnerabilities in the software so that the vulnerabilities can be fixed before the alpha of the software is released.

    Note that it specifically says that they won’t be dealing with 0-day exploits (critical exploits in existing, already-released software products). They want to find these before they release, and to do that, they have to hire crackers.

  • Ebay for exploits (Score:2, Interesting)

    by munky99999 (781012) on Friday October 15, 2010 @01:22PM (#33910804)
    We need an auction site where vendors, bad guys, and good guys all bid on 0days.
  • Re:What the hell (Score:2, Interesting)

    by Dishevel (1105119) on Friday October 15, 2010 @01:46PM (#33911130)
    No. If you say I have found an exploit for your software. If you want it it will cost you X. If not, have a nice day. I hope no one else can find the same type of exploit. There is nothing wrong with that.

    If on the other hand you you tell the company that wither they buy it or you will sell it to others then that is extortion and is illegal. You do one or the other. There is now other side to the coin.

    They are separate coins altogether.

  • Re:What the hell (Score:3, Interesting)

    by GameboyRMH (1153867) < minus author> on Friday October 15, 2010 @02:05PM (#33911372) Journal

    Here's how I see it, it's like inspecting a dam (on your own time) and finding a crack. Now you could charge the dam company (haha) for the information you found - even though they didn't ask for it. If they were nice, fair people and you ask a fair price, they'd pay you, but they may decide not to (or you could be an asshole and ask way too much), they may say go screw yourself and not fix the crack. What then? Now you can either:

    1. Give up the information anyways - the dam company will never pay you for any information in the future, and neither will anyone else who hears about it.

    2. Sit on the information that threatens the people of Floodplain Valley until the dam company pays (if ever). Maybe it's just me but I would find this very wrong.

    3. Release the information to the public and hope the dam engineers get to the crack before Snidely Whiplash.

    Now you are left with a bunch of bad options, all of which have put innocent third parties at more risk than if you'd given up the information freely.

    This is why I say that if you find an exploit on your own time in someone's software, you should give them the information for free. If you have a problem with this, then either stop spending your time looking for the exploits (can't blame you, you're not getting paid and if you feel you must get paid for doing it, you obviously don't do it for fun) or drop the pretense of morality and become a black hat.

  • Re:What the hell (Score:3, Interesting)

    by c6gunner (950153) on Friday October 15, 2010 @04:08PM (#33912938)

    *shrug* I would have no problem with that. I don't see why you should get a free diagnostic out of the deal. Hell, unless you have your own ODBC reader, most mechanics will charge you $50 just for a basic readout. I bought the code reader because it pays for itself in the long run, but I see nothing wrong with mechanics wanting to get paid for the work they do.