Comments on: Economics of Vulnerabilities: Markets?

By: Adam

Adam — Mon, 22 May 2006 15:13:47 +0000

Yes, by market I mean a public space in which price information is available. I appreciate the offer of tracking, and feel it points out just how broken this all is. If we had a functioning market, I wouldn’t need to tap into a Ryan or a Dave who’s spending time paying attention to the prices of vulns and exploits.
I’d just tap into the Chicago Vulnerability Exchange*, and find the bid and ask prices on a brand-x 0Day.
*CVE, of course, like the Chicago Mercantile Exchange. ;)

By: Ryan Russell

Ryan Russell — Mon, 22 May 2006 15:07:39 +0000

Ah, so by “market”, you mean you’re looking for an equivalent to a NYSE stock listing. Fair enough. Yes, pricing info is hard to find. You can look to iDefense’s offer of $10,000US for MS Criticals (last quarter) or DB Vendor Criticals (this quarter). You can look at reports of an IE 0-day being sold to spyware distributors for around $11,000. You could lend some creditbility to 0×80 claiming on Full-Disclosure that someone gave him $18,000US for a vuln. I believe I’ve read Dave Aitel say that a good Windows remote is worth about $20,000 to him.
But yes, not very formal.
You want to start tracking vulnerability prices? I can help you backfill some of the existing stuff.

By: Adam

Adam — Mon, 22 May 2006 14:33:24 +0000

I haven’t seen a clear price list, as in “we paid X for this vuln.” Such lists exist for markets. You know what Citicorp is worth, because the market tells you. You know what a house is worth. You dont know what a vuln is worth.
(AFAIK.)
There’s also the Lynn risk, which is distortive.

By: Ryan Russell

Ryan Russell — Mon, 22 May 2006 14:14:10 +0000

Are you suggesting that there aren’t already a dozen places I could sell a vulnerability for a decent chunk of change? At least two of them are “legit”, iDefense and TippingPoint. Or am I misunderstanding?