A new survey, which may be the first of its kind, has looked at the relative trustworthiness and responsiveness of the various organizations that buy vulnerabilities and found that TippingPoint’s Zero Day Initiative is rated by researchers as the most trustworthy and is the preferred buyer.
The survey, posted by Unsecurity Research, asked researchers who have sold vulnerabilities to the public buyers as well as through private sales to rate the buyers on their trustworthiness, how quickly they paid, how much they paid and several other criteria. ZDI fared the best on trustworthiness, scoring a 3.5 out of 5, barely edging out SecuriTeam, which rated 3.3. However, ZDI also took the longest to actually make an offer to buy a vulnerability and was among the slower groups when it came time to pay.
Among the more interesting data in the survey’s results is the amount of money that these organizations, which also include VeriSign’s iDefense unit, iSight, Netragard and others. The data shows that across all of the organizations, the vast majority of vulnerabilities, both client-side and server-side, are being sold for less than $5,000.
Only a handful of the survey’s respondendents reported selling vulnerabilities for more than $10,000.Most of those high-value vulnerabilities were bought by SecuriTeam, including five client-side flaws and six server-side flaws. It’s not clear whether SecuriTeam offers higher prices in general or whether the researchers who responded to the survey had simply brought the company more serious vulnerabilities.
There is no identifying information posted about the researchers who responded to the survey, which makes it somewhat difficult to gauge the quality of the data. The sample size of the survey also appears to be fairly small, around 30 respondents or so.
Organized vulnerability-purchasing programs such as those run by ZDI, iDefense and others are still relatively new, having popped up in the middle part of the last decade. However, private sales between researchers and vendors or researchers and government agencies have been going on for much longer. Researchers say that those private sales tend to be far more lucrative, but also can be more difficult to negotiate and complete.