From: rajat swarup (rajatsgmail.com)
Date: Thu May 20 2010 - 11:43:17 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, May 19, 2010 at 1:33 PM, Jason Syversen
<jason.syversengmail.com> wrote:
> There's a good survey of the 0-day vulnerabilities market with breakdowns by
> vendor including pricing, trustworthiness and friendliness posted online at
> http://unsecurityresearch.com/index.php?option=com_content&view=article&id=52&Itemid=57
> (thanks to reversemode RT nrathaus).
>
> I went through the survey and did some analysis of average prices by client
> side vulnerabilities, server side vulnerabilities and both as well as
> percentage of purchases that are "high value" and off the survey charts:
> http://cyber-son.blogspot.com/2010/05/vulnerability-market-numbers.html
> Also some good reading material in an older post
> (http://cyber-son.blogspot.com/2009/09/vulnerability-research-market.html)
> including some of the groups advertising research, Pedram's excellent
> briefing on the market and some other papers.
>
> Hadn't seen that information disseminated widely and thought there would be
> interest. I'm always interested in quantifying more of what's going on in
> the community and particularly in computer security markets like this one
> that tend to be extremely opaque. Hopefully more people will fill out his
> survey so there is improved statistical sampling. I suspect the current
> margin of error is workable but definitely not negligible. Enjoy.
>
Both Google & Mozilla Foundation were not even a part of this. They
also pay researchers for 0-days in their products (Chrome & Firefox).
I guess these include just the resellers and not in-house purchasers
(or they could be included under "direct to buyer" category).

--
Rajat Swarup
www.rajatswarup.com
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]