Re: 0-day exploit..do i hear $1000?

["Markus Kern" <markus-kern () gmx net>]

foob () return0 net wrote: 
> But security companies dont need some 0day script to exploit a
> vulnerability, they just need to know about the vulnerabilities.  

> From reading the pen-test mailing list I've got the impression that
many penetration testers have their own collection of proprietary
exploit code. Either because there's no public exploit code for a 
vulnerability at all or because the code available isn't
sophisticated enough / only works under certain conditions (e.g.
it's for Linux when you need it for BSD).
They need the exploits because they want to penetrate into the LAN
of their clients and look for other vulnerable systems.

Imagine a company which does nothing but coding exploits. Their
exploits will all have the same structure, will be scriptable and
you can get them in different flavors (e.g. one that phones home,
one that uses a http tunnel,...). Say it takes them 24 hours after
the bug is made public till they can provide perfect exploit code.

Why should any pen-testing company employ someone for exploit coding
if it's cheaper to just buy the finished exploit code?

The entire process is inherent to capitalism. People specialize in
what they can do best and sell it. As long as someone is willing to
pay for it there'll be someone selling it.

just my 2 cents
Markus