"(*) Who is to say that the vulnerability for sale is the one of the vulnerabilities identified by our readers."
In my opinion it does not matter whether the exact vulnerability being sold was found or not, just that a vulnerability was found.
For most people whether their intentions are good or bad as long as they have one way to exploit an application reliably then this is all they need.
As Stefan pointed out, the easy "require()" bugs are patched, but the application is riddled with bugs where the user can control calls to exec. What more do you need? I think any unpatched bug ( or many bugs in this case ) in an application makes buying a random one for it worthless.
batz
· 2 years ago
When I saw this I thought, "Woohoo, now we can contribute a bunch of crappy modules to open source projects, then auction off vulnerabilities in them."
This probably won't happen, as the stakes are far too low. An exploit auction is certainly a provocative idea. Whether it has an economic impact on exploit development remains unclear.
Mike Murray
· 2 years ago
Have to say, I was just being a pain. I understood the point, but there was another facet that I wanted to expound upon.
Taking this point to its extreme, the interesting question would be around the economics of the auction itself - as you point out, it's possible that the value of the product radically changes during the auction.
This isn't a problem that eBay has.
Dave G.
· 2 years ago
@Mike
There is one area where I disagree with your post. There are plenty of researchers and affected code bases that have an excess of time and lack of funds. For example, open source projects aren't going to pay 700 Euro's for a defect in their code.
newsham
· 2 years ago
I imagine there are better ways to use economics and markets to improve code quality. For example, a prediction market on wagers such as "there will be a remotely exploitable vulnerability in Internet Explorer in October 2007." People who are intimately familiar with the code quality could make money by using their knowledge to set the right price. People who research vulnerabilities in IE can "game" the system by releasing bugs and collecting payoffs. These insider trades are actually good because in the long run they feret out bugs and give a realistic assessment of the security of a system (if shares are priced between $0 and $1, they will approach the probability of a bug being found). Win Win! And no need to sell vulns in private.
(Oh yah, if you happen to be a heavy user of a technology, you can buy shares as a hedge against damages when vulns are released...)
Traveller_Adventure
· 5 months ago
What a useful post here. Very informative for me..TQ friends...
All Comments
In my opinion it does not matter whether the exact vulnerability being sold was found or not, just that a vulnerability was found.
For most people whether their intentions are good or bad as long as they have one way to exploit an application reliably then this is all they need.
As Stefan pointed out, the easy "require()" bugs are patched, but the application is riddled with bugs where the user can control calls to exec. What more do you need? I think any unpatched bug ( or many bugs in this case ) in an application makes buying a random one for it worthless.
This probably won't happen, as the stakes are far too low. An exploit auction is certainly a provocative idea. Whether it has an economic impact on exploit development remains unclear.
Taking this point to its extreme, the interesting question would be around the economics of the auction itself - as you point out, it's possible that the value of the product radically changes during the auction.
This isn't a problem that eBay has.
There is one area where I disagree with your post. There are plenty of researchers and affected code bases that have an excess of time and lack of funds. For example, open source projects aren't going to pay 700 Euro's for a defect in their code.
(Oh yah, if you happen to be a heavy user of a technology, you can buy shares as a hedge against damages when vulns are released...)
Cheers,
Buat Duit Dengan Blog