Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Almighty Buck Bug Security

Exploit Vendor Publishes Prices For Zero-Day Vulnerabilities 21

An anonymous reader writes: An exploit vendor published a price list for the zero-day bugs it's willing to buy. The highest paid bugs are for remote jailbreaks for iOS. Second is Android and Windows Phone. Third there are remote code execution bugs for Chrome, Flash, and Adobe's PDF Reader. This is the same company that just paid $1 million to a hacker for the first iOS9 jailbreak.
This discussion has been archived. No new comments can be posted.

Exploit Vendor Publishes Prices For Zero-Day Vulnerabilities

Comments Filter:
  • Still legal? (Score:5, Interesting)

    by Rob MacDonald ( 3394145 ) on Friday November 20, 2015 @08:40AM (#50968857)
    I'm still confused as how this exploit market is still legal. Security research has legal purposes, exploit discovery has legal purposes. But the selling of exploits on an open market seems to only have one purpose. Using those exploits for something nefarious. So on the one hand according to some, just the fact that there is torrent traffic on my network makes me a criminal..... but on the other this company can buy and sell exploits to be used to hack and attack people and it's perfectly legal? Sounds about right.
    • "I'm still confused as how this exploit market is still legal. "

      The company is probably a front for NSA/CSIS/GCHQ/Mossad/.

      For all intensive purposes, these agencies are above the law.
    • Because people realized there is more money in selling broken products which are not immediately obvious than selling non-broken products. Pop-Station (PSP knock-off) from China is a similar story. Is it possible to make a secure product? Absolutely. Will any company produce one? Absolutely not, because triple letter companies (err security organizations), and friends, need to get in your phone. For your safety of course, or the terrorists win.
      • Is it possible to make a secure product? Absolutely.

        Stop right there. This statement is false, at least with respect to systems of significant complexity. This is completely obvious when you realize that software security defects are just bugs. You'll never have perfectly secure software until you have perfect software.

        Unless we want to dramatically reduce the complexity (and hence capabilities) of the systems we use, to a point where we can produce formally-verifiable security and correctness proofs, there will always be vulnerabilities. If you accept you

        • So your argument is that we are too dumbto make a secure product. It's possible, but it takes too much effort to understand the complexity so we should have faith. Right. I'll get back to you on that.
    • That could actually turn into a very sane situation. If you add a constraint to sell the vulnerability to the responsible company if that company is willing to match the highest bidder, then it could be really helpful :

      - Security researchers get paid for their work

      - Companies get an incentive to improve security before releasing products

  • Warrant or NSL for US brands access?
    If the 5 eye nations can just ask for US access or go to a friendly US court or have access designed in under US law whats the payment for the big US brands for?
    Why is Linux, VM and Tor browser so cheap or easy or well covered vs US brands that enthusiastically helped US and UK gov with decryption in the past are so expensive? Even some anti virus options seem to be lower on the list?
    A remote jail break on a cell like device seems like any offering that a US warrant
    • Why is Linux, VM and Tor browser so cheap or easy or well covered vs US brands that enthusiastically helped US and UK gov with decryption in the past are so expensive?

      Because the number of Linux people who do online bakning in a VM hrough TOR is small. The number of iOS people who do banking on their phoine is large.

  • by bagofbeans ( 567926 ) on Friday November 20, 2015 @11:19AM (#50969777)

    Software developer in cahoots with security researcher could design in an obscure bug for the security researcher to 'find', and $$$.

    • MOD PARENT UP!

      Spot-on. The phenomenon is not new, either. Symantec got big in the late 1980's and early 1990's by awarding bounties for discovery of "new viruses". To help, they provided examples of 'known' viruses.

      To a kid in high school or college, this was an easy $50.
      * Copy one of their "examples"
      * Change something very minor in a hex editor
      * Use a printout or send code via a BBS (per-internet, remember?)
      * Profit! (I did.)

      And PROFIT Sym

Nature always sides with the hidden flaw.

Working...