To be honest I was very surprised when I was reading an article about what is called the
It seems that currently there is a thriving(possibly an overstatement) market for vulnerabilities.
In other words a person or group discovers a vulnerability and it offers it to the highest bidder.
Why would someone want to buy a vulnerability?
This is a good question- I think that there might be several reasons for buying a vulnerabilities:
- If you are in the business of corporate espionage, you might want to have it in your arsenal.
- If you are in the business of just doing bad things for fun, you might want to have it in your arsenal.
- If you want the publicity for being the one that “discovered” the vulnerability, you might want to have it in your arsenal.
The first and the third reasons intrigue me:
If you are a shadow dweller that makes money by stealing information from corporate information systems
obtaining knowledge about undiscovered/unexploited vulnerabilities has to be worthless. Your target
can not, and does not expect you to use that angle of attack since he is not aware that he is vulnerable-this might
provide you with the edge you need.
Obviously it would be in your best interest to keep the vulnerability to yourself and leave it undisclosed for
as long as possible.
As for the publicity-by being the firm that has “discovered” such a vulnerability you might gain a better perception
in the publics eye as being proactive and identifying vulnerabilities-for a security company this might be worthless.
The issue to debate here is what happened to ethics?