So You Want To Be a Zero Day Exploit Millionaire? 36
gManZboy writes "There's a thriving trade in zero-day vulnerabilities, predicated on keeping knowledge of these vulnerabilities out of the public domain. For security researchers with knowledge of a bug that's not worth much, or for researchers who question the ethics of selling any bug information, there are alternatives. Vulnerability information service Secunia launched its Secunia Vulnerability Coordination Reward Program, which formalizes what Secunia says it's been doing informally for some time: It acts as a go-between for security researchers that have discovered a vulnerability in a product, and the vendor of that product. Do such practices jeopardize security for the many, while safeguarding just the few? It's still unclear whether Stuxnet's authors discovered the zero-day vulnerabilities themselves, procured them from a legal market, or bought them on the black market. If you're going to cash in, you face some tough ethical questions."
I cannot spend ethics (Score:4, Insightful)
I cannot spend ethics, cash however is always welcome.
Re:I cannot spend ethics (Score:4, Insightful)
Besides that. "Ethics"? what a crock. That's something for Disney movies.
Re: (Score:1)
Ethics is something an employed person might care about.
Take away those jobs and take into account corporations' lax attitude about security (which doesn't "add value") and you will have a lot of disgruntled people with inside knowledge of vulnerabilities and trade secrets, who may choose to instead profit directly or indirectly from their new line of work.
People won't bite the hand that feeds them, but they will bite the hand that slaps 'em.
-- Ethanol-fueled
Re: (Score:1)
Hmmm, so I guess your daughter/son/mother/brother/other loved one is fair game, huh? Ethics has many faces, friend. Home is a good starting point.
Re: (Score:2)
There is a fairly eloquent youtube video that discusses security researchers actually being paid for their efforts :
http://www.youtube.com/watch?v=aVtXac6if14#t=4m
Re: (Score:2)
what does "ethics" have to do with it? (Score:5, Insightful)
Tough ethical questions (Score:3)
Not really. And remember too that ethics are relative.
I know what i would decide without thinking twice, and yes the world would be screwed. In a heartbeat.
Custom made vulnerabities (Score:1)
It's still unclear whether Stuxnet's authors discovered the zero-day vulnerabilities themselves, procured them from a legal market, or bought them on the black market.
-- OR --
Perhaps the vulnerabilities were originally engineered for the authors?
Ethics be damned.. (Score:3, Informative)
It is common practice among digitally inclined firms to sue white-hats when they contact them about security vulnerabilities in their systems, rather than getting down and patching the holes and fixing the flaws.
It seems to me that it is no wonder that ethically inclined hackers would prefer to avoid approaching firms with their discoveries and instead just sit on them. Personally, I think ethics be gone and let the big lawyered up firms take their attitudes and suffer the consequences.
Contact the firm, set a deadline and then release the zero-day exploit anonymously on the specified date as promised.
Re: (Score:1)
Ethics? (Score:2)
Get a job at Microsoft (Score:3)
1. Get a job at Microsoft.
2. Incorporate bugs into product.
3. Sell info. on said bugs through Secunia.
4. ????
5. Profit!
I think Scott Adams addressed the issue of a bug market years ago.
Ethics Gradient (Score:2)
Ethics? It's much simpler than that for me! (Score:1)
if(free_s)
{
return bugfix;
}
else
{
return profit;
}
Secunia doesnt pay anything. (Score:1)
Secunia's program doesn't offer any $ so why the fuck give them anything. ZDI offers basically nothing.
There are a few places which offer decent cash and there are a few ebay-ish places which let you sell but they aren't that popular.
Amazon says they want to offer everything... they should allow it and all we need to do is put them up there.