Is it worth paying hackers to search for bugs?
Vulnerability detection is hard work.
And very profitable. For the bad guys.
I really respect Charlie and I think he is right. He just wants to do what he can do very well. The services it provides are very valuable for software providers and for all of us. However, there is one question: will Charlie sell the found errors to the “bad guys” or not? He still has not made a clear and definitive statement on this matter. I suspect that it will not, although he himself is not sure of that.
I know Charlie and many others who know their business, hackers. Those who do not wish evil developers. I have met many of them in the past 20 years and I know that detecting vulnerabilities is not the most profitable occupation and, even more, is not the easiest way to make a living. Many talented hackers who donated bugs to developers were offended by the fact that the developer did not want to pay them for their hard work. I saw that these originally well-intentioned hackers were beginning to take revenge on the developers. I saw that these hackers were selling mistakes to competitors.
')
Selling exploits is a very good opportunity to make a profit, especially if you are the “bad guy.” A hacker who does not care about who gets and uses the exploit found can sell the vulnerability of known software for a fairly decent amount - $ 5,000, or maybe more. Prices for vulnerabilities on the black market are difficult to find, but I have seen offers of about $ 100,000 for buffer overflow in Windows Server 2003. Considering that many criminal groups make tens of millions of dollars or more on exploits, the price for an exploit is several tens (hundreds) of thousands dollars looks quite funny.
Even good guys, many legally allowed parties pay for errors and exploits. First, many vendors (including my employer, Microsoft) pay millions to both employees and external service providers, although they almost always (if not always) signed the contact before they found bugs in the software. CanSecWest and other contests pay for new vulnerabilities found. A number of other organizations, such as the Zero Day Initiative, are paying for finding new vulnerabilities. They make money selling protection products to their customers. And in general, everything is badly kept secret, because our government has groups of people who are looking for vulnerabilities for different purposes. There were even attempts to open auctions.
The sad fact is that the profit for the vulnerability found by the “white” hacker is several times less than for the one sold on the black market. The thing is that a “white” hacker cares about product safety and protection of people, while the “bad guy” is about profits, revenge, ... A friend of mine who works at a large software company analyzed the company's costs for paying bonuses for errors found. He found out that an employee gets less than $ 25 for a found bug. Agree, it will be sooo difficult for a legitimate hacker to live with such a figure.
There are many ways to make money in this world. My computer books would sell better if they contained pornography. I could replenish my income by selling drugs, but I should be able to look in the mirror and be proud of what I do. I get paid to hack, but I never did it without permission or dislike of someone.
Perhaps many companies do not pay $ 5,000 or more for the error found, but they have built a successful - sometimes very successful business. They became the names of the industry and created individual stars. Their owners raised the company, created long-term careers for their employees.
For every infamous hacker, I can name two legitimate hackers and their companies - Stake , ZDI, iDefense, David Litchfield, Foundstone, Dave Aitel, Immunity, and many others.
Charlie and the other "No More Free Bugs" advocates deserve to make a living by doing what they do best. But I hope they look at those who sell the bugs they find. We need them to convince us that they are on our side. Is always.
And very profitable. For the bad guys.
 | Charlie Miller, the famous Mac Hacker, announced that he would not release exploits for free. In addition, Charlie and several of his friends opened the “No More Free Bugs” movement . |
I really respect Charlie and I think he is right. He just wants to do what he can do very well. The services it provides are very valuable for software providers and for all of us. However, there is one question: will Charlie sell the found errors to the “bad guys” or not? He still has not made a clear and definitive statement on this matter. I suspect that it will not, although he himself is not sure of that.
I know Charlie and many others who know their business, hackers. Those who do not wish evil developers. I have met many of them in the past 20 years and I know that detecting vulnerabilities is not the most profitable occupation and, even more, is not the easiest way to make a living. Many talented hackers who donated bugs to developers were offended by the fact that the developer did not want to pay them for their hard work. I saw that these originally well-intentioned hackers were beginning to take revenge on the developers. I saw that these hackers were selling mistakes to competitors.
')
Money money money...
Selling exploits is a very good opportunity to make a profit, especially if you are the “bad guy.” A hacker who does not care about who gets and uses the exploit found can sell the vulnerability of known software for a fairly decent amount - $ 5,000, or maybe more. Prices for vulnerabilities on the black market are difficult to find, but I have seen offers of about $ 100,000 for buffer overflow in Windows Server 2003. Considering that many criminal groups make tens of millions of dollars or more on exploits, the price for an exploit is several tens (hundreds) of thousands dollars looks quite funny.
Even good guys, many legally allowed parties pay for errors and exploits. First, many vendors (including my employer, Microsoft) pay millions to both employees and external service providers, although they almost always (if not always) signed the contact before they found bugs in the software. CanSecWest and other contests pay for new vulnerabilities found. A number of other organizations, such as the Zero Day Initiative, are paying for finding new vulnerabilities. They make money selling protection products to their customers. And in general, everything is badly kept secret, because our government has groups of people who are looking for vulnerabilities for different purposes. There were even attempts to open auctions.
White and black
The sad fact is that the profit for the vulnerability found by the “white” hacker is several times less than for the one sold on the black market. The thing is that a “white” hacker cares about product safety and protection of people, while the “bad guy” is about profits, revenge, ... A friend of mine who works at a large software company analyzed the company's costs for paying bonuses for errors found. He found out that an employee gets less than $ 25 for a found bug. Agree, it will be sooo difficult for a legitimate hacker to live with such a figure.
There are many ways to make money in this world. My computer books would sell better if they contained pornography. I could replenish my income by selling drugs, but I should be able to look in the mirror and be proud of what I do. I get paid to hack, but I never did it without permission or dislike of someone.
Perhaps many companies do not pay $ 5,000 or more for the error found, but they have built a successful - sometimes very successful business. They became the names of the industry and created individual stars. Their owners raised the company, created long-term careers for their employees.
For every infamous hacker, I can name two legitimate hackers and their companies - Stake , ZDI, iDefense, David Litchfield, Foundstone, Dave Aitel, Immunity, and many others.
Charlie and the other "No More Free Bugs" advocates deserve to make a living by doing what they do best. But I hope they look at those who sell the bugs they find. We need them to convince us that they are on our side. Is always.
Source: https://habr.com/ru/post/57594/
All Articles