Survey Shows Most Flaws Sold For $5,000 Or Less

Author: Dennis Fisher
minute read

A new survey, which may be the first of its kind, has looked at the relative trustworthiness and responsiveness of the various organizations that buy vulnerabilities and found that TippingPoint’s Zero Day Initiative is rated by researchers as the most trustworthy and is the preferred buyer.

A new survey, which may be the first of its kind, has looked at the relative trustworthiness and responsiveness of the various organizations that buy vulnerabilities and found that TippingPoint’s Zero Day Initiative is rated by researchers as the most trustworthy and is the preferred buyer.

The survey, posted by Unsecurity Research, asked researchers who have sold vulnerabilities to the public buyers as well as through private sales to rate the buyers on their trustworthiness, how quickly they paid, how much they paid and several other criteria. ZDI fared the best on trustworthiness, scoring a 3.5 out of 5, barely edging out SecuriTeam, which rated 3.3. However, ZDI also took the longest to actually make an offer to buy a vulnerability and was among the slower groups when it came time to pay.

Among the more interesting data in the survey’s results is the amount of money that these organizations, which also include VeriSign’s iDefense unit, iSight, Netragard and others. The data shows that across all of the organizations, the vast majority of vulnerabilities, both client-side and server-side, are being sold for less than $5,000.

Only a handful of the survey’s respondendents reported selling vulnerabilities for more than $10,000.Most of those high-value vulnerabilities were bought by SecuriTeam, including five client-side flaws and six server-side flaws. It’s not clear whether SecuriTeam offers higher prices in general or whether the researchers who responded to the survey had simply brought the company more serious vulnerabilities.

There is no identifying information posted about the researchers who responded to the survey, which makes it somewhat difficult to gauge the quality of the data. The sample size of the survey also appears to be fairly small, around 30 respondents or so.

Organized vulnerability-purchasing programs such as those run by ZDI, iDefense and others are still relatively new, having popped up in the middle part of the last decade. However, private sales between researchers and vendors or researchers and government agencies have been going on for much longer. Researchers say that those private sales tend to be far more lucrative, but also can be more difficult to negotiate and complete.

Suggested articles

Security A Hidden Benefit of iOS 4.2 Update

Apple iPhone and iPad users are buzzing about the new features that come with the latest update to the company’s iOS mobile operating system. But the update also contains dozens of fixes for security holes that could have allowed attackers to compromise the popular devices using malicious PDF files, Web based attacks, and more. 

Apple Patches Safari Browser Holes

Apple on Thursday issued updates for its Safari Web browser to fix more than two dozen vulnerabilities that left the browser open to Web-based attacks. 

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.