Survey Shows Most Flaws Sold For $5,000 Or Less

A new survey, which may be the first of its kind, has looked at the relative trustworthiness and responsiveness of the various organizations that buy vulnerabilities and found that TippingPoint’s Zero Day Initiative is rated by researchers as the most trustworthy and is the preferred buyer.

A new survey, which may be the first of its kind, has looked at the relative trustworthiness and responsiveness of the various organizations that buy vulnerabilities and found that TippingPoint’s Zero Day Initiative is rated by researchers as the most trustworthy and is the preferred buyer.

The survey, posted by Unsecurity Research, asked researchers who have sold vulnerabilities to the public buyers as well as through private sales to rate the buyers on their trustworthiness, how quickly they paid, how much they paid and several other criteria. ZDI fared the best on trustworthiness, scoring a 3.5 out of 5, barely edging out SecuriTeam, which rated 3.3. However, ZDI also took the longest to actually make an offer to buy a vulnerability and was among the slower groups when it came time to pay.

Among the more interesting data in the survey’s results is the amount of money that these organizations, which also include VeriSign’s iDefense unit, iSight, Netragard and others. The data shows that across all of the organizations, the vast majority of vulnerabilities, both client-side and server-side, are being sold for less than $5,000.

Only a handful of the survey’s respondendents reported selling vulnerabilities for more than $10,000.Most of those high-value vulnerabilities were bought by SecuriTeam, including five client-side flaws and six server-side flaws. It’s not clear whether SecuriTeam offers higher prices in general or whether the researchers who responded to the survey had simply brought the company more serious vulnerabilities.

There is no identifying information posted about the researchers who responded to the survey, which makes it somewhat difficult to gauge the quality of the data. The sample size of the survey also appears to be fairly small, around 30 respondents or so.

Organized vulnerability-purchasing programs such as those run by ZDI, iDefense and others are still relatively new, having popped up in the middle part of the last decade. However, private sales between researchers and vendors or researchers and government agencies have been going on for much longer. Researchers say that those private sales tend to be far more lucrative, but also can be more difficult to negotiate and complete.

Suggested articles

Security A Hidden Benefit of iOS 4.2 Update

Apple iPhone and iPad users are buzzing about the new features that come with the latest update to the company’s iOS mobile operating system. But the update also contains dozens of fixes for security holes that could have allowed attackers to compromise the popular devices using malicious PDF files, Web based attacks, and more. 

Apple Patches Safari Browser Holes

Apple on Thursday issued updates for its Safari Web browser to fix more than two dozen vulnerabilities that left the browser open to Web-based attacks. 

Discussion

  • Anonymous on

    The survey was initially advertised in a very limited way. Now that the first results have been posted the next set of results will have a wider error margin but a larger sampling. 

  • Anonymous on

    This is ridiculousness, those of us who sell 0day exploits for large dollar amounts will not be filling out this survey because it provides no benefit to tell the public anything about private business dealings. If the public keeps thinking nobody is making money selling 0day then that is better for my business. 

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.