Don't wanna give away vulns for free? Try auctioning to the newly formed market. Charlie Miller, now the principal security analyst at Independent Security Evaluators, said the demands for payments stem from frustrations that vendors' in-house researchers "are making a lot of money to look for bugs and whenever someone from the outside finds something, they don't get paid anything." Preatoni described his auction as a way for researchers to receive what their knowledge is truly worth, saying the security industry is currently built on top of research that is undervalued.
Although researchers historically have shared knowledge for free, "there's been a market that has naturally evolved where this information is power," said Ken Durham, director of the rapid response team with VeriSign-iDefense. "Our concern is people would start to turn to the dark side unless they had a responsible avenue." Terri Forslof, who runs TippingPoint's Zero Day Initiative, said programs like hers can never pay as much as the black market, but most legitimate researchers are willing to accept smaller payments knowing the buyer would handle the information responsibly.
Researchers seek cash for software flaws - Yahoo! News |