Who profits on vulnerabilities for sale?

The number of software vulnerabilities discovered during 2010 may be smaller than that of those discovered the previous year, but they still bring money to its discoverers.

Depending on whether the researcher is a whitehat or a blackhat and on which software the vulnerability was found, the vulnerability will be disclosed to developers such as Google, Mozilla, and others who instituted bug bounty programs – and be paid for anywhere between $500 to $3133.7 – or to the highest bidder on online black markets where criminal organizations search for zero-day bugs to aid them in the launch of their next attack.

According to Roland Dela Paz, a TrendMicro researcher, even the mere “idea” of a possible vulnerability might sometimes fetch a good price in the cybercrime underground.

Of course, if the vulnerability is found in a very popular application such as the Internet Explorer browser or the Adobe (PDF) Reader, the price for a working exploit may even reach $100,000.

Once the vulnerability and the exploit code becomes common knowledge, it is often incorporated in various exploit kits that can be bought on underground forums that serve as markets.

For example, the popular Eleonore exploit kit incorporates exploits that targets a great number of applications: IE, Firefox, Opera, Flash Player, Java, Adobe Acrobat and Reader (among others).

They are also used for improving and enlarging botnets, which then makes them more effective when it comes to installing malware.