Re: iDefense Q-1 2007 Challenge

["K F (lists)" <kf_lists () digitalmunition com>]

This is very true... and in some cases rather than do either you chose 
to sit on the bug. Its almost a cache 22... some folks invest time 
upfront putting work into various vulnerabilities and have no way to get 
back that investment. That in essence amounts to free QA for vendor X,Y 
or Z and nothing for the researcher. In efforts to offset some of those 
costs those same folks often look to sell a bug or two here and there 
rather than instantly give them to the vendor. Unfortunately the current 
public options pay very little cash and its almost not worth selling the 
bugs in some instances. 

I sat on the Veritas bug that was used as 3com / ZDI's first release for 
over a year at the very least... quite a bit of time was put into 
tooling that bug into a workable exploit / proof of concept. The bug was 
offered to iDefense well before ZDI even existed but their offer hardly 
covered the hourly rate of the individuals that worked to make it into a 
valid exploitable issue. I do not recall the exact price but I think 
there was a $2k cap per bug at that time. Rather than sell it so cheap 
we just sat on it...

The vendor had been very non responsive to previous security requests so 
there was no real incentive to report it to them either. Eventually ZDI 
came along and we pushed the bug to them for quite a bit more than the 
iDefense offer. Even though 3com pays very well, after splitting a 
payout between 2 researchers that had to pay uncle sam via 1099 it often 
seems like a waste of time.

I do not know the going rate for a years worth of iDefense Corp updates 
or a years worth of support for ZDI's IDS but I would have to expect 
that these companies are profiting far more than the average researcher 
that submits to them. How about the free QA that the vendors get... how 
much is it per license for some of these products, can't they 
collaborate with folks like ZDI or iDefense to get some better 
incentives going ?  At this point ... like I said its almost not worth 
selling to these sorts of companies.... uncle sam is a friggin hound 
over 1099 money.

-KF
> Me, for example, if I were capable of of finding such vulns, I wouldn't
> sell them to the guys writing the drive-by spyware installers. I might
> sell it to iDefense or Tippingpoint, though.
>
>                                       BB
>
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/