Charles Miller, security researcher at Independent Security Evaluators claims that he got the offer of $80,000 for remotely exploitable flaw in Linux, sighs that he could have asked for more. Though he could not get that price due to several conditions but finally managed to sell it for $50,000.
He has written an interesting paper based on analysis of vulnerability market. In this paper he throws light on various aspect of selling vulnerability to legitimate companies and government agencies. He has also shared his experience in selling vulnerabilities indicating good and bad side of it. The paper will be presented at next weekend during the “workshop on economics of information security“.
Most of the vulnerability researchers neither have enough information about target contacts nor have idea of the right price. This is being used (or exploited) by iDefense and other vendors through the vulnerability reward programs.
Explaining on the current situation of vulnerability researchers, Charles says , â€œI don’t think it is fair that researchers don’t have the information and contacts they need to sell their research. â€
And here is a mind blowing paper written by him on vulnerability market
– Nagareshwar Talekar