freakn wrote: Don't wanna give away vulns for free? Try auctioning to the newly formed market.
Try being the operative word. While WabiSabiLabi has gotten lots of press over the past few weeks, there are only 5 vulnerabilities there, four of which were there when I first heard about the site. Two have apparently been purchased. There has been a public effort to reverse engineer at least one of the bugs based soley on the title description. The problems are: 1. If you put something serious up for auction the security community would react immediately, and they may react by auditing instead of purchasing. A day of auditing costs less than $10,000. 2. You have to sell to the highest bidder, even if the highest bidder is Osama Bin Lauden. This takes all of the ethics out of the practice. I think this has mostly just been an occaision for various people in the industry to express their views on more serious efforts such as those pursued by TippingPoint and iDefense. You can sell them bugs. WabiSabiLabi is not serious until its serious. In any event, I don't really think its possible to sustain one's self as a researcher on money made this way. If you find something, you might make some bucks off of it, but you aren't going to find enough on a regular basis to keep a roof over your head. |