The market for buying and selling vulnerabilities always grabs my interest. Charlie Miller wrote a great paper discussing his personal experiences selling two zero-day vulnerabilities:
Trading of 0-day computer exploits between hackers has been taking place for as long as computer exploits have existed. A black market for these exploits has developed around their illegal use. Recently, a trend has developed toward buying and selling these exploits as a source of legitimate income for security researchers. However, this emerging “0-day market” has some unique aspects that make this particularly difficult to accomplish in a fair manner. These problems, along with possible solutions will be discussed. These issues will be illustrated by following two case studies of attempted sales of 0-day exploits.
It’s refreshing to see an academic paper that discusses real-world experiences. Especially ones that most of us never get a chance to see, such as the selling of vulnerabilities to firms other than TippingPoint and iDefense. In one of his examples, he reportedly sold a vulnerability for $50,000 to a government agency. Charlie’s writing is also amusing. After discrediting an earlier paper, he calls for the author to buy him a beer. He also talks about how “it can be difficult for the researcher to verify the buyer’s intentions and avoid a trip to “Gitmo”.”
You can read his entire paper here: The Legitimate Vulnerability Market, Inside the Secretive World of 0-day Exploit Sales.
I’m still waiting for a zeroBay.