As I mentioned in the blog post, I would love to see security researcher getting paid more but not by the means of extortion. This approach will not only backfire soon but also it will undermine all of our hard work. I don’t mind if you can get paid 75K for a bug. If you can and you are happy with the terms of the deal than you should do it. What I do mind is the whole no more free bugs campaigning.

What the no more free bugs campaign promotes is not to disclose critical information unless certain demands are met. It sounds ridiculous and terribly wrong!

Also, it is pretty subjective to talk about how much Apple and other software and hardware vendors are willing to pay for a bug. Keep in mind that if they know that a vulnerability in their products worths $75K they would have had a proper bounty program. As far as I know, Mozilla is one of the few vendors which offer bounties for bugs and they are not paying that much, i.e. you are not going to get rich.

As a matter of fact, I hear that ZDI has bought some vulnerabilities for at least $50K in some instances. I am not sure if this is true but if it is than I guess the market is finding its own way to justify the cost. However, if bugs can be sold to vendors for $50K than why should anyone bother with pwn2own competitions where you are making a lot less then that?

Excuse me but when a vulnerability is worth $75k on the vuln-black market we’re talking about vendors with massive market penetration. We’re talking Microsoft, Apple, Adobe, IBM, etc.

From a purely business perspective, WTF is 75k to these companies? Let’s pretend for a moment that Adobe could pay for that whole 0day issue to jut go away… do you think they would pay a 75k for that to never have happened? What was the impact on Adobe’s image? their brand? The issue here is the same one that plagues the entire security industry – what metrics do we use to quantify the damage?

If 75k was all it took to hire ‘an entire team’ of security researches to hammer away at a complex product (and it’s not) then companies shouldn’t damn well be doing it? If they’re not… they should pay dearly.

If I go out and buy a lawn mower and it has bugs… i can return it and get my money back… or at least get a new one without the bugs. If the bug in the lawnmower cuts off my foot (INSERT CONFICKER DAMAGE ESTIMATE HERE!) I’m effing pissed and I sue Lawnmower Co. If I go buy a Quicktime media broadcasting product and my .com gets pwned and I spend $??k fixing the internal breach can I sue? No.

(Unfortunately) I agree that companies won’t pay $75k for a game-over vulnerability in their product but that’s because they aren’t measuring the impact that their bad code has on their image and, more importantly, they aren’t held accountable for the damage they cause around the globe when their shitty code breaks.

Why would you only want to achieve a crash? It goes without saying that is only half of the exercise. No one’s going to pay for code that only causes a fault, they want the exploit that goes along with it.

Also the level of difficulty of coding exploits vs. finding bugs is subjective, I would not be surprised one bit to find those same sweatshops workers not only running fuzzers but also coding the sploits to go along with them… this isn’t exactly quantum calculations, this is bottom feeding leg work.

some people think that my argument is that security researcher are already paid enough and they don’t deserve to be paid more for their exceptional work. this is incorrect. my opinion is that although you, as a security researcher, dictate the price of your work, at the end of the day it is all business. you can ask for any sum you can imagine but if no one is willing to buy it at that price you will loose. and asking 75K from a legit company for a vulnerability which could be leaked tomorrow is not the way to go. it is a high risk investment no one will bother to get into. as a businessman, if I give you 75K for a vulnerability I would like to see first of all return of that investment and perhaps even a bit of profit. the only people that will buy at that price are either military institutions (only if inline with the current budget and objectives) or shady figures from around the Internet who will use your work to expand their botnets.

“Finally, I know that a lot of people are into the security business because of all the romanticism and the myths surrounding the hacker figure”

Which is it then? People also makes shoes and clothes by hand in sweatshops, that doesn’t take much intelligence either. If the same people who get paid 70$ a month to put strings in shoes are also writing expoits, doesn’t that kind of take the whole “romanticism” and “elitism” of being a “hacker” and throw it out the window?

personally, regarding selling vulns, i rather avoid unknown buyers, and stick to programs like ZDI. yes, ZDI will pay you MUCH less than a company which will force you to sign an NDA, but i think it’s worth it, considering that you know who you’re dealing with. prob. the only other type of entity i would sell vulns to, besides programs like ZDI, is the government. And even then you gotta really think about what government you’re selling it too as it can actually screw up your career due to international politics. ie: .uk researcher selling vulns + working exploits to the .cn government.

Regarding ‘hacker’ romanticism, pentesting, exploit writing and vuln research in general are nothing other than 1) spotting the crap that other people forgot to clean, and 2) proving that not cleaning your crap can lead to a problem.

Although i love offensive security in general, i must say that sometimes i feel like changing careers and becoming a hotel manager in sunny southern spain :) Security research is very interesting, but no one gives a darn ultimately.

Thus, I don’t think a couple of underpaid Chinese ‘hackers’ will be so much productive in that aspect.

Although, as far as web vulnerabilities are concerned, I totally agree with you that’s a very possible scenario. Web application vulnerabilities are generally much more easier to exploit.

[Fuzzer's] yes but India is complete different jungle, You can hire bunch of engineering guys but minimum wage will be like 250 to 300$ per month those kind of profit making market you mentioned is long gone. but to my knowledge army is hiring hackers to develop exploits ;)

Now, coding exploits has nothing to do with finding bugs… seriously… especially when all you want to achieve is a crash which can be replicated. It doesn’t require any special knowledge to write fuzzers or fuzz test software. at least, this is my humble opinion. My example was vague but based on other similar types of business models, i.e. WoW sweatshops, as I mentioned.

There are many other points in the article. Let’s not ignore them.

I can guarantee people with this idea cant survive here.

also math is different if you are Security guy& you could code exploits you charge minimum of 500 to 1000$ per month:)