K F (lists) wrote:
> We all know black hats are selling these sploits for <=$25k so why
> should the legit folks settle for anything less? As an example the guys
> at MOAB kicked around selling a Quicktime bug to iDefense but in the end
> we decided it was not worth it due to low pay...
>
> Low Pay == Not getting disclosed via iDefense....
Maybe that's all they are worth to iDefense, since they aren't
monetizing them in the same way blackhats are.
Maybe for some people if they were going to just give them to Microsoft
anyway, a few thousand bucks is worth it.
Me, for example, if I were capable of of finding such vulns, I wouldn't
sell them to the guys writing the drive-by spyware installers. I might
sell it to iDefense or Tippingpoint, though.
> We all know black hats are selling these sploits for <=$25k so why
> should the legit folks settle for anything less? As an example the guys
> at MOAB kicked around selling a Quicktime bug to iDefense but in the end
> we decided it was not worth it due to low pay...
>
> Low Pay == Not getting disclosed via iDefense....
Maybe that's all they are worth to iDefense, since they aren't
monetizing them in the same way blackhats are.
Maybe for some people if they were going to just give them to Microsoft
anyway, a few thousand bucks is worth it.
Me, for example, if I were capable of of finding such vulns, I wouldn't
sell them to the guys writing the drive-by spyware installers. I might
sell it to iDefense or Tippingpoint, though.
BB
[ reply ]