The Vulnerability Market Place

It sure was a matter of time until a major newspaper (Brad Stone for the New York Times) would pick up on the subject of trading vulnerabilities (article). Specifically selling vulnerabilities to companies, which provide some kind of a service around it.

On a recent blog post at Matasano (iDefense Underbids on Vista Vulnerabilities) I commented that: “No one guaranties the so-called 0-day is really is 0-day. The seller could have used it before, or sold it before, and still the knowledge of the existence of this vulnerability/exploit is not widely known”.

Theoretically speaking one can sell a vulnerability to multiple parties, and/or abuse it for other needs, without the buyer knowing that.

The market place for vulnerabilities does bring up interesting legal, and ethical questions regarding the actions of those companies who are buying these vulnerabilities and the source(s) they are buying these from.


Tags: ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: