17

If requesting payment from an affected party directly for the disclosure of vulnerabilities is considered extortion, how can independent security researchers earn a living or side income from researching security vulnerabilities?

Arminius
  • 44,770
  • 14
  • 145
  • 139
Nick
  • 423
  • 3
  • 10

3 Answers3

17

In the 'white' sense, the most well known companies that pay researchers to buy vulnerabilities or exploits are:

Certain companies like Mozilla and Google have established bug bounty programs - they buy vulnerabilities of their software themselves.

Charlie Miller (famous exploit developer) has written a small paper on the topic - it's an interesting read: The Legitimate Vulnerability Market: The Secretive World of 0-Day Exploit Sales (2007)

john
  • 11,088
  • 2
  • 37
  • 43
  • See also Digital Armaments: Contribute Program (though their web site problems don't put them in a good light....) – nealmcb May 25 '11 at 18:29
  • I didn't mention them because I personally don't really trust them. I've never heard of anyone submitting bugs to them.. Seems a little scamy, or shady at least. – john May 25 '11 at 18:35
  • Many thanks for this answer, john. Charlie Miller's paper is particularly interesting. He mentions SNOsoft's Exploit Acquisition Program as another potential marketplace. – Nick May 25 '11 at 22:13
  • @Nick, thanks for that, forgot about Netragard, I'll edit. Funny story, they started their program some years ago, then stopped it at 2008, then started it again last year. I think they are mostly brokers though, instead of circulating vulns to client lists or using them to create IDS signatures as tippingpoint does. Also they buy only full exploits (zdi buys vulns or exploits) – john May 25 '11 at 23:13
5

The bug bounty programs and competitions like pwn2own come to mind.

Would not be an exhaustive list but large companies that offer bug bounties:

Microsoft is a notable exception.

You could also get a research grant from Universities and the government.

Rakkhi
  • 5,823
  • 1
  • 25
  • 48
  • 2
    I think facebook doesn't 'buy' vulnerabilities just yet. Their CSO announced (a few days ago) that they'll start their bug bounty program within the year. – john May 25 '11 at 10:37
5

I'd say it has a lot do to with the order of operations:

Extortion:

  • find vulnerability
  • contact company and demand payment

Tiger Team:

  • contact company and negotiate contract
  • find vulnerabilities

Unless there's bug finding program set up already, attempting to find vulnerabilities and hacking look pretty much the same without a pre-existing contract.

I know a few independent/small company consultants who manage to make a living working as a tiger team for companies. I'd say the hardest part is getting the reputation, so you can make a case to the company that you should be the person they pay for this work.

bethlakshmi
  • 11,686
  • 1
  • 29
  • 59