More Exploits For Sale Means Better Security

[InfoSec News <alerts () infosecnews org>]

http://www.darkreading.com/vulnerability-management/167901026/security/attacks-breaches/231900575/more-exploits-for-sale-means-better-security.html

By Robert Lemos
Contributing Editor
Dark Reading
Oct 11, 2011

For a decade, security researchers have been able to earn money by 
selling the details of significant vulnerabilities to bounty programs: 
first to the Vulnerability Contributor Program launched by iDefense in 
2002, and then to TippingPoint's Zero Day Initiative, which went live in 
2005.

Extending the model, security research and testing firm NSS Labs 
launched ExploitHub, an app store model for the sale of code to exploit 
known vulnerabilities. Preapproved buyers can browser the store and pay 
anywhere from $50 to $1,000 for ready-to-use exploit code.

Yet the mix of attack code has been anemic. A look at ExploitHub shows 
that sellers are hawking code that attacks Oracle, Novell, and a handful 
of Windows vulnerabilities. NSS Labs hopes to change that: Last week, 
the company introduced a voting system for buyers to specify 
vulnerabilities of interest, as well as a prize system that pays a 
bounty for posting code to exploit the flaws. The company plans to pay 
between $200 to $500 for working attacks that target specific 
vulnerabilities in Internet Explorer and Adobe Flash.

By providing exploits that are in greater demand, defenders are better 
served, says Rick Moy, CEO of NSS Labs.

[...]


_____________________________________________________________
FINAL CALL to register #HITB2011KUL - Asia's premier
deep-knowledge network security event now in it's 9th year!
http://conference.hitb.org/hitbsecconf2011kul/