[This was originally published on the OSVDB blog.]
Since the debate about pay-for-disclosure started, some folks have wondered what vulnerabilities are worth. We’ve seen companies like Verisign/iDefense and Tipping Point/ZDI offer serious money for vulnerabilities in the past. Adding to the mix, matousec.com has published a purchase page with prices of some of their vulnerability research information:
* Full analysis of reviewed personal firewalls
Visit Windows Personal Firewall analysis methodology page to get information about what the full analysis is. The full analysis is preferentially offered to the product vendor. If the vendor buys the analysis it is given 30 days protection for all private information included in this analysis.
Prices:
o ZoneAlarm Pro 6.1.744.001 analysis – 1,500 ($ 1,950)
o Kerio Personal Firewall 4.3.246 analysis – 500 ($ 650)
o Norton Personal Firewall 2006 version 9.1.0.33 analysis – 1,500 ($ 1,950)
o BlackICE PC Protection 3.6.cpj analysis – 1,500 ($ 1,950)* Single bugs of reviewed personal firewalls
Visit Windows Personal Firewall analysis methodology page to get information about what the single bug is.
Prices:
o ZoneAlarm Pro 6.1.744.001 bugs – visit ZoneAlarm Pro 6.1.744.001 – Review
o Kerio Personal Firewall 4.3.246 bugs – visit Kerio Personal Firewall 4.3.246 – Review
o Norton Personal Firewall 2006 version 9.1.0.33 bugs – visit Norton Personal Firewall 2006 version 9.1.0.33 – Review
o BlackICE PC Protection 3.6.cpj bugs – visit BlackICE PC Protection 3.6.cpj – Review