Tag: iDefense

  • Perlroth & The First (Zero-Day) Broker

    I am currently reading “This Is How They Tell Me The World Ends” by Nicole Perlroth, only on page 60 in Chapter 5, so a long ways to go before completing the 471 page tome. I hit chapter 4, titled “The First Broker” and it was of specific interest to me for sure, prompting this…

  • CVE Vulnerabilities: How Your Dataset Influences Statistics

    [This was originally published on the OSVDB blog.] Readers may recall that I blogged about a similar topic just over a month ago, in an article titled Advisories != Vulnerabilities, and How It Affects Statistics. In this installment, instead of “advisories”, we have “CVEs” and the inherent problems when using CVE identifiers in the place…

  • iDefense VCP as seen through OSVDB

    [This was originally published on the OSVDB blog.] In 2002, iDefense started their Vulnerability Contributor Program. The VCP was created to solicit vulnerability information from the security community and pay researchers for the information. Paying up to US$15,000 for a vulnerability or exploit, iDefense proved there was a significant market for such information after years…

  • Responsible Disclosure – Old Debate, Fresh Aspects?!

    [This was originally published on the OSVDB blog.] Earlier this evening, there was a Twitter debate regarding a proposed standard for responsible vulnerability disclosure. It referred to ISO/IEC 29147, a proposed standard for responsibly disclosing a vulnerability. Dino Dai Zovi brought up a fresh angle, that the “responsible disclosure” name itself completely ignored the aspect…

  • “high price bug brokering market just isn’t viable”

    [This was originally published on the OSVDB blog.] On January 17, 2007, SnoSoft / Netragard LLC announced a new Exploit Acquisition Program designed to compete with iDefense, TippingPoint and others. Nothing special or different other than the suggestion that they would pay more for high end vulnerabilities. A little over a year later, and they…

  • The value of 0-day…

    [This was originally published on the OSVDB blog.] Another interesting article regarding the value of 0-day vulnerabilities. Rob Lemos relates the stories of a few researchers who sold their 0-day vulnerability/exploit information for big dollars. The twist here, which is news to some, is who purchased it (the .gov) and for how much (as high…

  • Matousec’s Vulnerability Value

    [This was originally published on the OSVDB blog.] Since the debate about pay-for-disclosure started, some folks have wondered what vulnerabilities are worth. We’ve seen companies like Verisign/iDefense and Tipping Point/ZDI offer serious money for vulnerabilities in the past. Adding to the mix, matousec.com has published a purchase page with prices of some of their vulnerability…

  • Security expert dubs July the ‘Month of browser bugs’

    [This was originally published on the OSVDB blog.] Security expert dubs July the ‘Month of browser bugs’ By Greg Sandoval Each day this month, a prominent security expert will highlight a new vulnerability found in one of the major Internet browsers. HD Moore, the creator of Metasploit Framework, a tool that helps test whether a…

  • Vulnerability Purchasing

    [This was originally published on the OSVDB blog.] Several years ago, iDefense started purchasing vulnerabilities from freelance researchers, and created its Vulnerability Contributor Program. Find a vulnerability, disclose it to iDefense under mutual NDA, and they would act as a mediator between you and the vendor for disclosure. After a patch was available, iDefense releases…

  • Zero Day Vulnerabilities – Sell Your Soul?

    [This was originally published on the OSVDB blog.] There have been several Vulnerability Sharing Clubs (VSC) in the past including iDefense, Immunity and others. For those who question this business model, consider Verisign just purchased iDefense for US $40 million. Still not a believer? Consider 3Com/TippingPoint is now offering a new VSC called the Zero…