First, from the Associated Press:

"Rouland contends the 2007 number would have been higher if not for the
emergence of a black market that will pay up to $100,000 to computer
whizzes who find such threats and sell the information to criminal
gangs eager to exploit them."

This quote references the X-force report I mentioned in an earlier post – you know, the one where people are really concerned that vulnerabilities are decreasing.

Second, from a private mailing list:

"I’d bet that most skilled researchers have a number of vulns that they know
of that are just lying around, where they didn’t have the time or inclination
to publish. Maybe they *know* an overflow is exploitable, but haven’t put in
the 20 hours to prove it; maybe they don’t want to deal with the hours/days
of labor it takes to disclose it responsibly; etc. Since we’re on the back of
the envelope – conservatively, I’d say that each skilled researcher would
have a minimum of 5 issues that are just lying around that are not likely
to get published. So, we’re talking hundreds or thousands."

Hmmm, well $500k sure isn’t chump change to me, and I suspect that would be true of many bugfinders. So, we have (potential) sellers with $500k of unrecognized income available to them, and buyers with a plentiful supply of vulnerabilities paying as if they are scarce.

I think this variance may be evidence of another thing as well – it is common for people to suggest that one reason to find bugs is that it is just as easy as the bad guys to find them. Keeping aside the fact that this argument is bogus to begin with (rediscovery rates are 7% at best), if these two perspectives really are rational, then it illustrates the disparity in the bad guy’s ability to find vulnerabilities, and is perhaps a credit to every legitimate bugfinder who keeps his vulns secret.

To heck with gaming the numbers, it is great fun to watch people gaming the analysis (me included? feel free to clue me in where I am wrong…).