Considering that the consulting rate paid by a govt, or a bank for low-grade security consultants can be anywhere from $1200-$2500/day (of which the actual consultant gets a tiny fraction) someone with the skills to find, develop and exploit a 0-day vulnerability, given the scarcity of his skills, would place him at the top of that range.

On top of what a govt pays for a consultant, consider the consultants actual salary (~$500/day) as the opportunity cost of not working on something billable, and add that to the value to the govt. So call it an even $3k/day.

The minimum amount of time to work on developing the 0-day sploit is 1 day. Even if you think about it for a few hours, again, opportunity cost factors into the pricing. Based on this conservative estimate, the work on an exploit by itself costs $15,000 for a 5-day effort.

The remaining arithmatic is left as an exercise to the reader.

How long would it take for a low-grade (Big N)consultant to protect a network against the 0-day threat at $2500/day? Consider that it may remain 0-day and exploited in the wild for a few months. Even a short term engagement of 3 mo's costs about $157,500..and yet they are still 0wned.

Why do some people pay so much for 0-day? Because it's worth it.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11510/35022#35022