This is very true... and in some cases rather than do either you chose
to sit on the bug. Its almost a cache 22... some folks invest time
upfront putting work into various vulnerabilities and have no way to get
back that investment. That in essence amounts to free QA for vendor X,Y
or Z and nothing for the researcher. In efforts to offset some of those
costs those same folks often look to sell a bug or two here and there
rather than instantly give them to the vendor. Unfortunately the current
public options pay very little cash and its almost not worth selling the
bugs in some instances.
I sat on the Veritas bug that was used as 3com / ZDI's first release for
over a year at the very least... quite a bit of time was put into
tooling that bug into a workable exploit / proof of concept. The bug was
offered to iDefense well before ZDI even existed but their offer hardly
covered the hourly rate of the individuals that worked to make it into a
valid exploitable issue. I do not recall the exact price but I think
there was a $2k cap per bug at that time. Rather than sell it so cheap
we just sat on it...
The vendor had been very non responsive to previous security requests so
there was no real incentive to report it to them either. Eventually ZDI
came along and we pushed the bug to them for quite a bit more than the
iDefense offer. Even though 3com pays very well, after splitting a
payout between 2 researchers that had to pay uncle sam via 1099 it often
seems like a waste of time.
I do not know the going rate for a years worth of iDefense Corp updates
or a years worth of support for ZDI's IDS but I would have to expect
that these companies are profiting far more than the average researcher
that submits to them. How about the free QA that the vendors get... how
much is it per license for some of these products, can't they
collaborate with folks like ZDI or iDefense to get some better
incentives going ? At this point ... like I said its almost not worth
selling to these sorts of companies.... uncle sam is a friggin hound
over 1099 money.
-KF
Me, for example, if I were capable of of finding such vulns, I wouldn't
sell them to the guys writing the drive-by spyware installers. I might
sell it to iDefense or Tippingpoint, though.
BB
