The Zero Day Initiative, a vulnerability purchase program run by security firm TippingPoint, released data on the demographics of its freelance researchers on Thursday.
More than 600 researchers have submitted over 1,000 vulnerabilities to the program since it started two years ago. The initiative currently averages about 40 flaw submissions a month and typically accepts about 10 percent of the vulnerability research submitted. The flaw finders that work with TippingPoint, a subsidiary of 3Com, are usually in their 20s with only about 40 percent working in the security industry. The top five countries in which the researcher live are, in order, the U.S., the U.K., Germany, Brazil and India.
For the most part, the researchers claim to hold to a high standard of ethics, with only 10 percent of those surveyed saying they would sell a vulnerability to the underground for more money.
"A company already offered me to buy 0days for much more money but I declined this offer because I didn't know what they really wanted to do with that and at the end I don't think it will help to improve the security of the software industry," stated one researcher in the survey, according to ZDI.
Vulnerability buying programs have become more popular and less controversial since iDefense kicked off their Vulnerability Contributor Program in August 2002. While many researchers look to private buyers to get better prices, others like the vulnerability purchase programs because both TippingPoint and iDefense notify the software vendor and get the flaws fixed. The recent launch of the controversial WabiSabiLabi auction site for vulnerability information could mean that researchers might find better prices, but has also irked many flaw finders.
None of the researchers polled by TippingPoint's ZDI subsisted on their income from finding flaws, though some stated that their bounty from bug hunting was a significant boost to their income.
Posted by: Robert Lemos