Software bug-hunters looking for payoffs

Signs of a growing market
So far, the amount of vulnerability research that's sold pales in comparison to what's submitted directly to vendors or discovered by the vendors' own research staff. But there are signs the market is growing.

"It's new territory. It's uncharted," said Russell Smoak, head of Cisco's Product Security Incident Response Team. "I have been approached by researchers that have asked (for payment) and to date, we've said no."

Charlie Miller, now the principal security analyst at Independent Security Evaluators, said the demands for payments stem from frustrations that vendors' in-house researchers "are making a lot of money to look for bugs, and whenever someone from the outside finds something, they don't get paid anything."

Preatoni described his auction as a way for researchers to receive what their knowledge is truly worth, saying the security industry is currently built on top of research that is undervalued.

Matthew Murphy, who received hundreds of dollars for each of about a dozen submissions to iDefense's program, said that while payments aren't enough to replace a full-time job, they earned him enough in high school to buy his parents a new computer and give him spending money for dinner with friends.

But Miller, after trying to sell two separate vulnerabilities himself including the $50,000 one to the government, concluded it wasn't worth the trouble. He said it was difficult identifying potential buyers, and in one case the vendor had fixed the problem before he could complete the sale.

"I would have loved to start a business out of it," he said. "One of the lessons I learned is that it's impossible to do that."

Revealing enough ... but not too much
And that's been one of the challenges of the WabiSabiLabi auctions. Potential sellers must reveal enough to entice buyers, but revealing too much can help others find the flaw independently, negating its value. Preatoni said the site does verify all claims before starting an auction.

Microsoft, which makes the oft-targeted Windows operating system, said it has no plans to start paying contributors, noting that many researchers have eagerly submitted their findings with only the promise of credit, which can be added to resumes to boost job prospects.

"They've clearly told us that by working with us, that model also works for them," Microsoft's Miller said.

Marc Maiffret, chief technology officer at eEye Digital Security, said he, too, has refrained from paying contributors, saying such sales "are pretty much supporting a market which eventually turns into a bidding war. It drives people not to report (problems) to vendors."

MORE FROM SECURITY

Security Section Front

Pentagon: Insurgents intercepted spy videos Privacy watchdog files complaint against Facebook Ohio court: Cell phone searches require warrant Nearly 1 in 3 older teens gets ‘sexting’ messages Australia to block obscene, crime-linked sites After criticism, Facebook tweaks settings again Court reviews employer access to texts NYT: U.S., Russia open talks on cyberwar limits Red Tape: Holiday ‘cyberbegging’ grows on eBay Internet users lured to oppose health bills Security Section Front   Add Security headlines to your news reader: