"I've seen these exploits sell for as much as $120,000," Desautels told SecurityFocus in an online interview. It's a statement that underscores the increasing acceptance of the sale of vulnerability information. Once a frowned-upon practice, the sale of such information is taking off. Flaw bounty programs such as TippingPoint's Zero-Day Initiative (ZDI) and iDefense's Vulnerability Contributor Program (VCP) have added legitimacy to the practice, even if they remain controversial. Software vendors have had to increasingly get used to dealing with third parties reporting security flaws that were bought from anonymous researchers. Microsoft, for example, patched at least 17 flaws reported by the two programs in 2006, up from 11 reported in 2005.
In many ways, the push by researchers for greater returns on their research efforts is part of the ebb and flow of the debate over the proper way to disclose information about software vulnerabilities. In 2000, a researcher known as Rain Forest Puppy released a basic framework, dubbed the RFPolicy, for disclosing vulnerabilities in a way that seemed fair to responsible software makers. In 2002, two security researchers further refined the guidelines and submitted them to the Internet Engineering Task Force (IETF), but the technical standards body decided that setting disclosure policy was outside of its jurisdiction. Over the past few years, software makers, and Microsoft in particular, have focused on holding researchers to the guidelines, calling such disclosure "responsible."
It's been an uneasy truce, and one that has fractured in many places. In 2005, a researcher attempted to auction off information about a flaw in Microsoft Office. Other flaw finders have decided to just release details of vulnerabilities they have found as a punishment for, what they believe to be, irresponsible behavior on the part of the software vendor. In the last six months, for example, a number of researchers have collected advisories on potential security issues into month-long releases of daily bugs. The trend started with the Month of Browser Bugs in July and continues with the latest Month of Apple Bugs this month.
Now, flaw finders fed up with software vendors are increasingly turning to third parties to buy their research.
"One of the reasons why the hacking community is so frustrated with large corporations is because these corporations are making a killing off their research and they are not seeing fair value for their work," Desautels said in an online interview with SecurityFocus.
Software makers typically do not pay for vulnerability information, with the notable exception of the Mozilla Foundation. The well-known public bounty programs typically pay thousands of dollars for original vulnerabilities, while lesser-known private deals can net a researcher tens of thousands of dollars, according to security experts.
The amounts quoted by Desautels are not excessive, according to experts interviewed by SecurityFocus.
In September, for example, a private buyer approached noted security researcher HD Moore and offered between $60,000 and $120,000 for each client side vulnerability found in Internet Explorer, the founder of the Metasploit Project said. Moore declined to pursue the offer, but said that such prices are typical of high-level private purchases, while information on serious flaws in generic enterprise-level applications can be sold to safe buyers--such as 3Com's ZDI program and VeriSign's VCP program--for between $5,000 and $10,000.
"The ZDI and (VCP) programs are definitely the easier way to sell a vulnerability, but at the 5x or 10x multipliers you see from a private buyer, it's usually worth the effort," Moore told SecurityFocus in an e-mail interview