Zero-day vulnerabilities have become prized possessions to attackers and defenders alike. As the recent China-Google attack demonstrated, they are the basis on which most of the successful attacks are crafted these days.
Since to find this kind of vulnerability usually takes months of full-time hacking, hackers ask from tens of thousands to hundreds of thousands dollars for each one.
According to Ventura County Star, there is a growing underground market flourishing around these vulnerabilities, but there are also “white markets” – set up by VeriSign, TippingPoint, Google – where they buy zero-day flaws and alert the companies so that they can patch their products before the vulnerabilities can be taken advantage of.
Even government agencies from all over the world are engaged in buying these zero-days, since it’s vital for them to fortify their defenses against breaches. Usually, they can offer larger amounts of money for the flaws than any of the companies. Pedram Amini of TippingPoint says that when governments are involved, a vulnerability can sometimes yield as much as $1 million to the skillful researcher.
In general, companies refuse to pay researchers for the vulnerabilities. Microsoft is famous for it. In their opinion, offering payment would “not foster a community-based approach to protecting customers from cybercrime.” On the other hand, Mozilla and Google offer a modest fee (around $500) for bugs and vulnerabilities found in the Firefox and Chrome browsers.
But what is that compared to the estimated $40,000 that the IE flaw used in the Google attack could have commanded? Charlie Miller, a security researcher with Independent Security Evaluators, who sold a bug he discovered in the Linux OS to a government contractor for $50,000 dollars, said that choosing whether to sell such an item or give it away for free to Microsoft is a hard decision to make, but that the amount of money he received for it is difficult to turn down.
Rest assured, this is an issue that will continue to be debated for a good while yet, along with the issue of responsible disclosure.