Discovering Security Bugs for Fun and ProfitEstablished Vendors Will Pay Up to $10,000 Per Bug, While Black Market Prices for 'Weaponized Exploits' May Reach as High as $30,000PRNewswire NEW YORK, July 24 /PRNewswire/ -- Security vendors, anxious to get the advance word on potential holes in their commercial software products, are compensating researchers and other third parties in cash for exploits they discover, according to CMP Technologies' Dark Reading (http://www.darkreading.com/) Website. Transactions between software vendors and legitimate researchers can run between $2,000 and $10,000, while black market transactions -- using exploits as tools for worms, phishing, and other malware -- reportedly can soar as high as $30,000 for these "weaponized exploits." "What the two markets have in common is potential impact: The more targets a bug can hit if it's converted into an exploit and let loose in the wild, the more it pays," writes Kelly Jackson Higgins in her story, "Bucks for Bugs." To read the full article, visit: http://www.darkreading.com/document.asp?doc_id=99518 According to the article, security vendor iDefense sponsored a contest earlier this year where the company paid $10,000 for remote Windows vulnerabilities. Even the more legitimate finder's fees are not without controversy. Should vendors and researchers be paying for bugs? It's an ethical quandary. Some say the practice makes systems safer and more secure; others say profit is causing the creation of a market that creates more vulnerabilities. And the market is volatile: Bidding wars have been witnessed as vendors seek to be the first to market with a patch for an emerging vulnerability. Not all researchers sell their bugs, however, and not all security firms will buy them, Dark Reading reports. EEye Digital Security, for instance, hires its own bug hunters and doesn't buy or sell what it finds. For more information on "Bucks for Bugs," or on Dark Reading, go to http://www.darkreading.com/. Contact: Alix Raine SVP Communications CMP Technology 600 Community Drive Manhasset, NY 11030 516-562-7827 araine@cmp.com About Dark Reading Dark Reading is the latest enterprise-focused Web publication to emerge from CMP Technology's business unit, Light Reading Inc. As the Web's only one- stop security shop, Dark Reading simplifies the challenges IT professionals face in keeping informed about the latest viruses, enterprise network security, and data privacy. About Light Reading Inc. Founded in 2000, Light Reading Inc. (http://www.lightreading.com/) is the ultimate source for technology and financial analysis of the communications industry, leading the media sector in terms of traffic, content, and reputation. It reaches an extensive audience of executives and technologists within the telecom and enterprise networking communities, as well as the financial/industry analysts and investors who track these sectors. Light Reading was acquired by United Business Media in August 2005, and operates as a unit of CMP Technology. About CMP Technology CMP Technology (http://www.cmp.com/) is a marketing solutions company serving the technology industry. Through its market-leading portfolio of trusted information brands, CMP has earned the confidence of more technology professionals than any other media company. As a result, CMP is the premier provider of access, insight and actionable programs designed to connect sellers and buyers in ways that yield superior return on investment. CMP Technology is a subsidiary of United Business Media (http://www.unitedbusinessmedia.com/), a global provider of news distribution and specialist information services with a market capitalization of more than $3 billion. SOURCE: Dark Reading CONTACT: Alix Raine of SVP Communications for CMP Technology, Web site: http://www.darkreading.com/ |