The exploits would be sold to the highest bidders. The exploit writers
and the buyers could remain anonymous.
In December 2006, eWeek reported that zero-day vulnerabilities and exploit code
were being auctioned on these underground, Internet-based marketplaces for as much
as $50,000 apiece, with prices averaging between $20,000 and $30,000. Spam-spewing
botnets and Trojan horses sell for about $5,000 each. There is increasing incentive to
???turn to the dark side??? of bug hunting.
The debate over higher pay versus ethics rages on. The researchers claim that this isn??™t
extortion, that security researchers should be paid a higher price for this specialized,
highly skilled work.
Gray Hat Hacking: The Ethical Hacker??™s Handbook
68
So, what is it worth? What will it cost? What should these talented, dedicated, and
skilled researchers be paid? In February 2007, dialogue on the hacker blogs seemed to
set the minimum acceptable ???security researcher??? daily rate at around $1,000. Further,
from the blogs, it seems that uncovering a typical, run-of-the-mill vulnerability, understanding
it, and writing exploit code takes, on average, two to three weeks. This sets the
price tag at $10,000 to $15,000 per vulnerability and exploit, at a minimum.
Pages:
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198