We regret to say that its true, we've shut down the Exploit Acquisition Program. The reason for the shutdown was that it was taking our buyers too long to complete a single transaction and it wasn't fair to the researchers. While we'd expect a single transaction to take no more than a month, the average transaction time for our buyer was 4 months. The last transaction that we attempted took 7 months at which point the issues were silently patched and the transaction was dead. As it stands right now, we can't justify asking anyone to wait that long to move a single item. So until the end players learn how to move faster, the high price bug brokering market just isn't viable.
There were two articles that were written regarding our Exploit Acquisition Program. One of the articles was written by Computerworld and the other was Darkreading. Something that is worthy of note though is that there seems to have been some miscommunication. During the interview I did not claim that we had brokered an item for $200,000.00. What I did say was that I have heard of very specific and rare items being sold for that much. In all reality the average sale price for exploits seems to range between $10,000.00 and $20,000.00.
Sunday, March 16, 2008
Subscribe to:
Post Comments (Atom)
Posts
5 comments:
Don't tell me you never saw this coming. Vendors and companies are scumbags who don't give a shit about researchers.
We knew that there was a chance that the Exploit Acquisition Program wouldn't succeed. With that said, I don't think that I'd go so far as to call vendors scumbags.
The fact of the matter is that when you identify a vulnerability in a vendors technology and notify the vendor of the issue, that becomes an interruption in their development life cycle. That translates to a small business interruptions that cost money.
The real problem is that today's vendors do not have development life cycles that enable them to fix discovered vulnerabilities quickly, without disruption.
I don't think companies will ever be ready to engage in a brokered vulnerability market until they feel some economic/regulatory pain first.
As a developer I know for a certainty that security holes are considered a non-issue by management unless people are actually exploiting them. I think every company will need to go through some pain ala Microsoft before their testing/acknowledgment processes keep up with researchers.
Vulnerability researchers are, on the whole, trying to be good citizens. Too bad the software companies are not keeping pace.
But what about Microsoft? Are you excluding them or their bugs? They have a pretty iron clad process. I think maybe there is just some confusion about who the end players you were working with are? If it's government, then the timeline makes sense, as Charlie Miller demonstrated with the issue he sold.
If some vendors are willing to buy- point us to em'! It would be good to have a list. :D
Post a Comment