To get notices of new blogs via email, click here:

Saturday, July 30, 2011

ZERO DAY exploit auction sites?

Facebook has joined Google to pay hackers a $500-and-up bounty for reporting bugs. Google says they've already paid out over $300,000 for bug reports. My question: "Why so little?" Shouldn't it be 10 times that amount?

If I were truly enterprising and far less ethical, I'd start an online auction site kind of like eBay but for Zero Day exploits. I would be the arbiter, get a 10% cut, and be the sole decision maker of whether or not the buyer's winning bid is transferred to the seller. As of the time of this writing, all the cool domains are available:

  • ZeroDayAuction.com
  • ZeroDayAuctions.com
  • 0DayAuction.com
  • ZeroDayExploits4Sale.com
  • ZeroDay4Sale.com
  • ZeroDaysRUs.com (you'd hear from the Toys 'R US attorneys, huh?)
You get the idea. Of course, I'm not going to reserve any of these URLs. But a good Zero Day exploit is worth a heck of a lot more than $500. I'll bet Microsoft and Adobe would pay at least $50,000 in an auction. Of course the reverse-engineering provisions in their licensing agreements might give them legal ground for a U.S. court injunction, but if the auction and payment were to take place outside the U.S.…

No comments:

Post a Comment

Implementation suggestions for THE MORGAN DOCTRINE are most welcome. What are the "Got'chas!"? What questions would some future Cyber Privateering Czar have to answer about this in a Senate confirmation hearing?