« Rant: Security 2.0 and Ethics 0.2 Beta | Main | Google Home-brews Powerful Automatic Scanning Fuzzer »

Zero-day sales not "fair" -- to researchers

" Two years ago, Charles Miller found a remotely exploitable flaw in a common component of the Linux operating system, and as many enterprising vulnerability researchers are doing today, he decided to sell the information.

“ I don't think it fair that researchers don't have the information and contacts they need to sell their research. ”

Charles Miller, principal security consultant, Independent Security Evaluators

Having recently left the National Security Agency, the security professional decided to try his hand at selling the bug to the U.S. government. In a paper due to be presented next week at the Workshop on the Economics of Information Security, Miller -- now a principal security analyst at Independent Security Evaluators -- writes about the experience and analyzes the market for security vulnerabilities.

In the case of the Linux flaw, one agency offered him $10,000, while a second told him to name a price. When he said $80,000, his contact quickly agreed.

"The government official said he was not allowed to name a price, but that I should make an offer," Miller told SecurityFocus. "And when I did, he said OK, and I thought, 'Oh man, I could have gotten a lot more.'"

Article Link: http://www.securityfocus.com/news/11468


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!