So You Want To Be a Zero Day Exploit Millionaire?

gManZboy writes "There's a thriving trade in zero-day vulnerabilities, predicated on keeping knowledge of these vulnerabilities out of the public domain. For security researchers with knowledge of a bug that's not worth much, or for researchers who question the ethics of selling any bug information, there are alternatives. Vulnerability information service Secunia launched its Secunia Vulnerability Coordination Reward Program, which formalizes what Secunia says it's been doing informally for some time: It acts as a go-between for security researchers that have discovered a vulnerability in a product, and the vendor of that product. Do such practices jeopardize security for the many, while safeguarding just the few? It's still unclear whether Stuxnet's authors discovered the zero-day vulnerabilities themselves, procured them from a legal market, or bought them on the black market. If you're going to cash in, you face some tough ethical questions."

Ethics be damned..

[angiasaa]

It is common practice among digitally inclined firms to sue white-hats when they contact them about security vulnerabilities in their systems, rather than getting down and patching the holes and fixing the flaws.

It seems to me that it is no wonder that ethically inclined hackers would prefer to avoid approaching firms with their discoveries and instead just sit on them. Personally, I think ethics be gone and let the big lawyered up firms take their attitudes and suffer the consequences.

Contact the firm, set a deadline and then release the zero-day exploit anonymously on the specified date as promised.