VULNERABILITY COMES CHEAP? There’s an increasingly open market in computer vulnerabilities. Crooks buy them to construct “zero day” exploits that haven’t been seen before and that are likely to escape most malware detection systems. Security firms buy the vulnerabilities to improve their detection programs.
So what’s the price of a new vulnerability? A very limited study found that most vulnerabilities sell for $5,000 or less. Some of the posters at Slashdot are pleased that vulnerability sellers, presumed to be unscrupulous researchers and hackers, “aren’t making much money at it.” But considering the lack of trust in any such market — the buyer doesn’t know the vulnerability is any good until it’s been clearly explained, and once the seller has clearly explained it, the buyer has no incentive to pay — $5,000 doesn’t seem all that cheap.
And if it is, should we celebrate? A low price for computer vulnerabilities tells us something about the supply of vulnerabilities: Plenty more where those came from. I don’t think we open champagne when the wholesale price of cocaine hits new lows.