Forgot your password?
typodupeerror
Security IT

So You Want To Be a Zero Day Exploit Millionaire? 36

Posted by Soulskill
from the good-luck-with-that dept.
gManZboy writes "There's a thriving trade in zero-day vulnerabilities, predicated on keeping knowledge of these vulnerabilities out of the public domain. For security researchers with knowledge of a bug that's not worth much, or for researchers who question the ethics of selling any bug information, there are alternatives. Vulnerability information service Secunia launched its Secunia Vulnerability Coordination Reward Program, which formalizes what Secunia says it's been doing informally for some time: It acts as a go-between for security researchers that have discovered a vulnerability in a product, and the vendor of that product. Do such practices jeopardize security for the many, while safeguarding just the few? It's still unclear whether Stuxnet's authors discovered the zero-day vulnerabilities themselves, procured them from a legal market, or bought them on the black market. If you're going to cash in, you face some tough ethical questions."
This discussion has been archived. No new comments can be posted.

So You Want To Be a Zero Day Exploit Millionaire?

Comments Filter:
  • by codepunk (167897) on Friday November 11, 2011 @05:05PM (#38029096)

    I cannot spend ethics, cash however is always welcome.

    • by El_Muerte_TDS (592157) <{elmuerte} {at} {drunksnipers.com}> on Friday November 11, 2011 @05:17PM (#38029258) Homepage

      Besides that. "Ethics"? what a crock. That's something for Disney movies.

      • by Anonymous Coward

        Ethics is something an employed person might care about.

        Take away those jobs and take into account corporations' lax attitude about security (which doesn't "add value") and you will have a lot of disgruntled people with inside knowledge of vulnerabilities and trade secrets, who may choose to instead profit directly or indirectly from their new line of work.

        People won't bite the hand that feeds them, but they will bite the hand that slaps 'em.

        -- Ethanol-fueled

      • Hmmm, so I guess your daughter/son/mother/brother/other loved one is fair game, huh? Ethics has many faces, friend. Home is a good starting point.

    • by Weezul (52464)

      There is a fairly eloquent youtube video that discusses security researchers actually being paid for their efforts :

      http://www.youtube.com/watch?v=aVtXac6if14#t=4m

    • True, but selling information that enables criminal hacking can make you an accessory. Actually getting paid for this can and will be used in court against you.
  • by khallow (566160) on Friday November 11, 2011 @05:29PM (#38029436)
    If you're selling zero day exploits to the highest bidder, you are beyond caring about the ethics. The study of ethics assumes that someone sincerely, rationally cares about what they should do or not do. Selling zero day exploits to whoever clearly indicates you're not in that camp.
  • by nurb432 (527695) on Friday November 11, 2011 @06:04PM (#38029818) Homepage Journal

    Not really. And remember too that ethics are relative.

    I know what i would decide without thinking twice, and yes the world would be screwed. In a heartbeat.

  • by Anonymous Coward

    It's still unclear whether Stuxnet's authors discovered the zero-day vulnerabilities themselves, procured them from a legal market, or bought them on the black market.

    -- OR --

    Perhaps the vulnerabilities were originally engineered for the authors?

  • Ethics be damned.. (Score:3, Informative)

    by angiasaa (758006) on Friday November 11, 2011 @06:31PM (#38030128) Homepage

    It is common practice among digitally inclined firms to sue white-hats when they contact them about security vulnerabilities in their systems, rather than getting down and patching the holes and fixing the flaws.

    It seems to me that it is no wonder that ethically inclined hackers would prefer to avoid approaching firms with their discoveries and instead just sit on them. Personally, I think ethics be gone and let the big lawyered up firms take their attitudes and suffer the consequences.

    Contact the firm, set a deadline and then release the zero-day exploit anonymously on the specified date as promised.

    • by The Mr.K (810856)
      It's unfortunate, but the companies have basically made this market a viable option for white-hats looking to solve security issues. It helps protect them against being sued, and they also get money to boot.
  • Ethics? Have you looked at the pathological behaviour that passes for ethics in business these days?
  • by PPH (736903) on Friday November 11, 2011 @07:11PM (#38030534)

    1. Get a job at Microsoft.
    2. Incorporate bugs into product.
    3. Sell info. on said bugs through Secunia.
    4. ????
    5. Profit!

    I think Scott Adams addressed the issue of a bug market years ago.

  • It would depend on how many days I had gone without food.
  • if(free_s)
    {
            return bugfix;
    }
    else
    {
          return profit;
    }

  • Secunia's program doesn't offer any $ so why the fuck give them anything. ZDI offers basically nothing.

    There are a few places which offer decent cash and there are a few ebay-ish places which let you sell but they aren't that popular.

    Amazon says they want to offer everything... they should allow it and all we need to do is put them up there.

Pause for storage relocation.

Working...