Re: Trend Micro's Vista "0day exploit auction" claim

[Cody Tubbs <tubbs () wispdirect com>]

My figures come from estimation.  I know someone making 75k doing QA for 
them, and they employee more QA engineers than you'd imagine.  Smaller 
companies usually employee 2-10+ for smaller software packages (I've 
been a part of some).
The reason I mentioned exploiting the exploiters is being that instead 
of hiring the exploiters (or should I say hiring the correct QA 
engineers to begin with), they'd rather suck up all of their exploits 
without hiring them, so that they can keep boasting they're unhackable 
after they make them sign off on not going pubic with the exploits (or 
their payment is void).  I'm sure if you've been keeping up with vista, 
you would have read these "unhackable" claims already.

It's not hard to look up exploit archives and find the authors names in 
the exploit headers, do background checks on them, and call up the ones 
without insane criminal history. (and to prevent future rebuttal, if its 
their handle that only resides in the headers, it's not that hard to 
handle->name with a bit of IRC'ing/SMTP'ing).

If you go by ISS each vulnerability type varies in worth.
To state the obvious, you are correct, $0.01- 50k is greater than $0, 
yet that's not what I'm trying to point out.

-Cody Tubbs


Chris Poulter wrote:
> 50k per vulnerability opposed to hundreds (unlikely) 60-100k/year
> (unlikely) - the Q/A's might only get 40-50k/year, a security
> vulnerability technician would be the one getting paid the big bucks,
> but there wouldn't be "hundreds" of them? - how do you work that one out
> to be more feasible?
>
> Considering everyone is presuming there will be lots of exploits,
> 50k/exploit will equate to a much larger payout....
>
> And exploit the exploiters? - how do you figure this one as well?
> Someone getting paid 50k/exploit is far more beneficial to the
> "exploiter" than getting nothing and just sharing the love....where MS
> would lose out more if this happened and leave them more exposed...
>
> I'm not arguing for either side of the case as I haven't looked into it
> enough to make my own judgment, but I don't think your assessment is
> accurate...
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Cody Tubbs
> Sent: Wednesday, December 20, 2006 10:40 AM
> To: Radu Oprisan
> Cc: pen-test () securityfocus com
> Subject: Re: Trend Micro's Vista "0day exploit auction" claim
>
> It's cheaper to pay kids 50k for actually finding flaws, rather than 
> paying hundreds of QA engineers 60-100k a pop to spend months finding 
> nothing.  Another reason M$ sucks, exploit the exploiters.
>
> -Cody Tubbs
>
> Radu Oprisan wrote:
>   
> > Ryan Meyer wrote:
> >   
> >     
> > > A number of popular tech news sources are reporting Trend Micro's
> > >       
> CTO,
>   
> > > Raimund Genes, publicly claiming that there are "auctions" for
> > >       
> zero-day
>   
> > > Windows Vista exploits. Further, he claims these auctions are
> > >       
> fetching
>   
> > > approx $50,000.
> > >
> > > Could anyone verify Trend Micro's claim?
> > >     
> > >       
> >   
> >     
> > > It seems dubious, at best, to me and possibly nothing more than pure
> > >       
> FUD.
>   
> > > Sorry to get off topic.
> > >
> > > Ryan Meyer
> > >     
> > >       
> > This could also be some covert way for microsoft to find their own
> > vulnerabilities. That has happened before.
> >
> >   
> >     
>
>
>