Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
The value of vulnerabilities
Jason Miller, 2006-03-07

There is value in finding vulnerabilities. Yet many people believe that a vulnerability doesn't exist until it is disclosed to the public. We know that vulnerabilities need to be disclosed, but what role do vendors have to make these issues public?

Comments Mode:
The value of vulnerabilities 2006-03-07
Anonymous (4 replies)
Re: The value of vulnerabilities 2006-03-08
infamous41md
Re: The value of vulnerabilities 2006-03-08
Anonymous
Re: The value of vulnerabilities 2006-03-08
Dancho Danchev
Re: The value of vulnerabilities 2006-03-17
Anonymous
Another viewpoint - The value of vulnerabilities 2006-03-08
Robert E. Lee
The value of vulnerabilities 2006-03-08
Matthew Murphy (1 replies)
Re: The value of vulnerabilities 2006-03-13
John Smith
The value of vulnerabilities 2006-03-08
Anonymous (1 replies)
Re: The value of vulnerabilities 2006-03-13
hi2005
The value of vulnerabilities 2006-03-08
Omar A. Herrera (2 replies)
Re:Good Points 2006-03-08
R_U_Trustified (2 replies)
Re: Re:Good Points 2006-03-09
infamous41md
Re: Re:Good Points 2006-03-09
Matthew Murphy (1 replies)
Re: Re: Re:Good Points 2006-03-14
Robert E. Lee (1 replies)
Re: Re: Re: Re:Good Points 2006-03-15
Matthew Murphy (1 replies)
Re: Re: Re: Re: Re:Good Points 2006-03-17
Anonymous
Re: The value of vulnerabilities 2006-03-13
hi2005
The value of vulnerabilities 2006-03-10
Max (1 replies)
Re: The value of vulnerabilities 2006-03-14
Robert E. Lee
Responsible disclosure 2006-03-13
Anonymous (1 replies)
Re: Responsible disclosure 2006-03-14
Robert E. Lee
The value of vulnerabilities 2006-03-16
C. Winchester
What Value? 2006-03-17
Anonymous (2 replies)
The question that no one is really asking is: What value do companies get from buying vulns? Why does iDefense or 3Com or Immunitysec pay for 0day vulns? And why now?

With remote vulns that are truely exploitable becoming fewer, these companies that relied on vulns to fuel their businuess model are having to buy them where before they could harvest them off of bugtraq for free. They are forced to lower what they pass off as 'remote code execution' to their customers. For example, if Idefense can place any value in memory or a register that suffices as 'remote code execution'.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/391/33331#33331
Re: What Value? 2006-03-20
infamous41md
Re: What Value? 2006-03-28
Anonymous







 

Privacy Statement
Copyright 2009, SecurityFocus