The Ashimmy Blog

The technology section of the Times today has a good article on the vulnerability market by Brad Stone.  Not vulnerability management, but vulnerability research and the buying and selling of vulnerabilities and the motives of the people doing it. It starts out with the current quest for finding vulnerabilities in Vista. The public side, it points out is being financed by companies like iDefense/VeriSign. While no one is endorsing the iDefense program, the article points out that it pales to some of the underground markets for vulnerabilities.  Trend Micro claims there was a Vista flaw on sale for 50k.  From there the article tries to give the Times reader a glimpse into the seamier side of vulnerability research.

What I thought interesting is when they discuss responsible disclosure and the changing profile of vulnerability researchers.  What are the factors driving this?  First of all the increasing cost and complexity of finding new vulnerabilities. Also, while many vulnerability researchers would find vulnerabilities for the glory, now people say "show me the money".  Legitimate sources don't pay enough money for less scrupulous researchers and so they hawk their findings on the back channels of the net.  I don't think any of this is earth shattering to those in the security business, but I am always amused when I see this stuff go mainstream in a publication like the Times.