<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-disclosure] iDefense Q-1 2007 Challenge



This is very true... and in some cases rather than do either you chose to sit on the bug. Its almost a cache 22... some folks invest time upfront putting work into various vulnerabilities and have no way to get back that investment. That in essence amounts to free QA for vendor X,Y or Z and nothing for the researcher. In efforts to offset some of those costs those same folks often look to sell a bug or two here and there rather than instantly give them to the vendor. Unfortunately the current public options pay very little cash and its almost not worth selling the bugs in some instances. I sat on the Veritas bug that was used as 3com / ZDI's first release for over a year at the very least... quite a bit of time was put into tooling that bug into a workable exploit / proof of concept. The bug was offered to iDefense well before ZDI even existed but their offer hardly covered the hourly rate of the individuals that worked to make it into a valid exploitable issue. I do not recall the exact price but I think there was a $2k cap per bug at that time. Rather than sell it so cheap we just sat on it...

The vendor had been very non responsive to previous security requests so there was no real incentive to report it to them either. Eventually ZDI came along and we pushed the bug to them for quite a bit more than the iDefense offer. Even though 3com pays very well, after splitting a payout between 2 researchers that had to pay uncle sam via 1099 it often seems like a waste of time.

I do not know the going rate for a years worth of iDefense Corp updates or a years worth of support for ZDI's IDS but I would have to expect that these companies are profiting far more than the average researcher that submits to them. How about the free QA that the vendors get... how much is it per license for some of these products, can't they collaborate with folks like ZDI or iDefense to get some better incentives going ? At this point ... like I said its almost not worth selling to these sorts of companies.... uncle sam is a friggin hound over 1099 money.

-KF

Me, for example, if I were capable of of finding such vulns, I wouldn't
sell them to the guys writing the drive-by spyware installers. I might
sell it to iDefense or Tippingpoint, though.

                                        BB