[ISN] The Vulnerabilities Market and the Future of Security

From: InfoSec News <alerts_at_private>
Date: Thu, 31 May 2012 04:18:51 -0500 (CDT)

By Bruce Schneier

Recently, there have been several articles about the new market in 
zero-day exploits: new and unpatched computer vulnerabilities. It’s not 
just software companies, who sometimes pay bounties to researchers who 
alert them of security vulnerabilities so they can fix them. And it’s 
not only criminal organizations, who pay for vulnerabilities they can 
exploit. Now there are governments, and companies who sell to 
governments, who buy vulnerabilities with the intent of keeping them 
secret so they can exploit them.

This market is larger than most people realize, and it’s becoming even 
larger. Forbes recently published a price list for zero-day exploits, 
along with the story of a hacker who received $250K from “a U.S. 
government contractor” (At first I didn’t believe the story or the price 
list, but I have been convinced that they both are true.) Forbes 
published a profile of a company called Vupen, whose business is selling 
zero-day exploits. Other companies doing this range from startups like 
Netragard and Endgame to large defense contractors like Northrop 
Grumman, General Dynamics, and Raytheon.

This is very different than in 2007, when researcher Charlie Miller 
wrote about his attempts to sell zero-day exploits; and a 2010 survey 
implied that there wasn’t much money in selling zero days. The market 
has matured substantially in the past few years.

This new market perturbs the economics of finding security 
vulnerabilities. And it does so to the detriment of us all.


Help InfoSec News with a Donation
Received on Thu May 31 2012 - 02:18:51 PDT

This archive was generated by hypermail 2.2.0 : Thu May 31 2012 - 02:13:39 PDT