Re: [Full-disclosure] iDefense Q-1 2007 Challenge

To: Blue Boar <BlueBoar@xxxxxxxxxxx>
Subject: Re: [Full-disclosure] iDefense Q-1 2007 Challenge
From: "K F (lists)" <kf_lists@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 16 Jan 2007 14:02:27 -0500
Cc: Untitled <full-disclosure@xxxxxxxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <45AD1AFB.1030705@xxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <C1D27240.1734D%simon@xxxxxxxxxxx> <45AD0B85.8040006@xxxxxxxxxxxxxxxxxxx> <45AD1AFB.1030705@xxxxxxxxxxx>
User-agent: Thunderbird 1.5.0.9 (Macintosh/20061207)

This is very true... and in some cases rather than do either you choseto sit on the bug. Its almost a cache 22... some folks invest timeupfront putting work into various vulnerabilities and have no way to getback that investment. That in essence amounts to free QA for vendor X,Yor Z and nothing for the researcher. In efforts to offset some of thosecosts those same folks often look to sell a bug or two here and thererather than instantly give them to the vendor. Unfortunately the currentpublic options pay very little cash and its almost not worth selling thebugs in some instances.I sat on the Veritas bug that was used as 3com / ZDI's first release forover a year at the very least... quite a bit of time was put intotooling that bug into a workable exploit / proof of concept. The bug wasoffered to iDefense well before ZDI even existed but their offer hardlycovered the hourly rate of the individuals that worked to make it into avalid exploitable issue. I do not recall the exact price but I thinkthere was a $2k cap per bug at that time. Rather than sell it so cheapwe just sat on it...

The vendor had been very non responsive to previous security requests sothere was no real incentive to report it to them either. Eventually ZDIcame along and we pushed the bug to them for quite a bit more than theiDefense offer. Even though 3com pays very well, after splitting apayout between 2 researchers that had to pay uncle sam via 1099 it oftenseems like a waste of time.

I do not know the going rate for a years worth of iDefense Corp updatesor a years worth of support for ZDI's IDS but I would have to expectthat these companies are profiting far more than the average researcherthat submits to them. How about the free QA that the vendors get... howmuch is it per license for some of these products, can't theycollaborate with folks like ZDI or iDefense to get some betterincentives going ? At this point ... like I said its almost not worthselling to these sorts of companies.... uncle sam is a friggin houndover 1099 money.

-KF


Me, for example, if I were capable of of finding such vulns, I wouldn't
sell them to the guys writing the drive-by spyware installers. I might
sell it to iDefense or Tippingpoint, though.

                                        BB

References:
- Re: [Full-disclosure] iDefense Q-1 2007 Challenge
  - From: Simon Smith
- Re: [Full-disclosure] iDefense Q-1 2007 Challenge
  - From: K F (lists)
- Re: [Full-disclosure] iDefense Q-1 2007 Challenge
  - From: Blue Boar

Prev by Date: rPSA-2007-0008-1 gd
Next by Date: Re: Ipswitch WS_FTP 2007 Professional "wsftpurl" access violation vulnerability
Previous by thread: Re: [Full-disclosure] iDefense Q-1 2007 Challenge
Next by thread: Re: [Full-disclosure] iDefense Q-1 2007 Challenge
Index(es):
- Date
- Thread