RE: 0-day exploit..do i hear $1000? (a net admins 2 cents)

["leon" <leon () inyc com>]

I would just like to add this from a net admin / engineer's perspective.

I think that exploits are software.  Software can be propeaitary or
freeware.  If an exploit writer wants to sell his code that is fine; he
created it and if he wishes to be paid for his work he deserves to me.
My question is based on this scenario;  lets say you are a pen-tester or
a someone doing vulnerability assessments and you paid 1,000 or whatever
dollar amount for some remote iis exploit that there is no patch for.
If you are pen-testing sure you compromise the webserver but at the end
of the day the clients are going to want that fixed, what do you say
then?  I know people (pen-testers) will say "oh well m$ hasn't patched
it sorry."  But I don't know if that really helps anyone.  In the end
all 0-days do is provide an upper hand (as in a non level playing field)
to black hats or computer attackers.  So in my mind selling exploits is
fine; it is similar to selling any other form of software.  Since
exploits are not illegal (unlikes guns one cannot compare them as
selling arms).  Does it make me happy to know that people are doing it?
No not at all but it doesn't make me happy either knowing someone coded
something, released it and someone else is making 10's of thousands off
of it.  Perhaps the best thing to do if blackhats want to keep there
sploits private and not have them used by pen-testers is exactly that;
keep them private.

Not sure if that means anything but that is my take as a lowly net
admin.

Regards,

Leon