Saturday, April 25, 2009

A Vulnerability Research to the Real World's Exploit Market

A software vulnerability is always count as an after math on vendor supplied application. Although, if the proper security controls have been in place before the delivery of the actual software then it might have less chance of any common security defect. Recently, number of known organizations have came out to make a bridge between 0-day vulnerability researchers and the software vendors to help reduced the security issues in their applications. At the same time, market has grown more efficienly and in parallel with different security researchers from around the world. Few of those companies who pay to the researchers are:

Zero Day Initiative: http://www.zerodayinitiative.com/ (3Com/TippingPoint division)
iDefense VCP: http://labs.idefense.com/vcp/ (VeriSign's company)
Snosoft: http://www.netragard.com (Netragard's company)
WabiSabiLabi: http://www.wslabi.com

To mention, each of these organizations have their own terms and conditions and payment structure for vulnerabilities and exploit codes. According to the guide, "2007-The Legitimate Vulnerability Market" few most important key issues have been highlighted regarding vulnerability from zero day perspectives.

1. Vulnerability information is time-sensitive commodity
2. No transparency in pricing (there is no public information on any vulnerability types, it depends on different factors)
3. Finding buyers and sellers
4. Checking the buyer
5. Actual value of 0day vulnerbaility cannot be initiated unless the loss is demonstrated
6. Intellectual property rights (how the researcher should feel safe in demonstration without losing its exclusive rights over vulnerability research)

Each vulnerability researched and provided with underline PoC (proof-of-concept) code is passed through number of stages as the one given below, through above third-party legitimate :

Date Action
---- ------
06/05 Vulnerability discovered.
11/7/05 Submitted to prepub review at NSA.
7/27/06 Approved for release by prepub review.
7/27/06 Offered to government.
8/10/06 Verbally agreed to $80,000 conditional deal.
8/11/06 Exploit given for evaluation.
8/25/06 Hash of exploit published.
8/28/06 Agreed to lesser amount
09/8/06 Paid

For several years, security researchers have involved with many types of organizations including Financial institutions, Service providers, OS vendors, Security vendors, Government and Defense operators to help remove any un-discovered security flaws. Taking further highlights from the above article give more clear overview on exploit pricing structure ranging from $4000-250,000.