Saw this comment in Rob Lemos’ article on the Excel 0day that went up for auction briefly on eBay:
The problem with the current market for vulnerabilities is that security researchers are generally poorly paid for the amount of work that they have to invest in finding flaws, he said. Knowledgeable researchers, which might otherwise charge $100 or more an hour for their work, can spend weeks searching for security problems, Hoglund said.
A suggestion to bughunters: it is not economically beneficial to keep looking for security problems. Go make that $100 an hour elsewhere – it’s worth it.
That’s a bit dangerous. If we are going to push the ‘only do it if it is worth it financially’ line then it is going to be hard to argue against unethical disclosure glory hounding in an effort to promote your new shiny vulnerability research lab.
@Dominic -
Good point – I should clarify. My point was that bughunters shouldn’t hunt bugs because it may not be worth it (at least according to the point made in the excerpted article).
But I also don’t want them doing it even if it is worth it, because there is a huge externality there – it may be worth it to the researchers even though it is extremely detrimental to Internet users overall.
Of course, that “it is extremely detrimental to Internet users overall” is not at all a settled question.
@Chris – I guess the word “extremely” is debateable, but nobody in their right mind would suggest that the level of risk on the Internet doesn’t increase with new vulnerabilities found (there is clear evidence here), so I think it is reasonable to call that “detrimental.”