When security researchers find a vulnerability in an application, they typically contact the developer and debate details of the flaw. Is it a real flaw? Can attackers exploit it? How quickly can it be fixed? Months later, after a fix, the software maker gets a more secure product -- and perhaps a lesson in secure programming -- but the researcher generally gets nothing but a pat on the back.
Several groups have found ways to pay researchers for finding vulnerabilities. Now, one company wants to create a marketplace for selling the code capable of exploiting vulnerabilities.
ExploitHub -- the brainchild of NSS Labs, a security testing firm -- takes its business model from Apple's App Store. While security experts aren't sure it will work, it marks the latest step in a trend of turning security expertise into cash.
"One of the catalysts for this idea is the conversations we have had with independent security researchers," says Rick Moy, CEO of the Carlsbad, Calif.-based NSS Labs. "We are hearing of researchers with caches of a couple hundred or a couple thousand exploits that they are sitting on. There are two things that they are looking for: To have them (the exploits) put to good use and get paid for their time."
ExploitHub will allow programmers and security experts to upload the code necessary to attack a specific vulnerability -- what's referred to as an "exploit" in security and hacking circles. ExploitHub will only host exploits for vulnerabilities that have already been publicly disclosed and patched, and will only allow known security professionals to buy the code, according to NSS Labs.
The marketplace is the latest attempt by security researchers to get paid for their work. In 2002, security firm iDefense started offering rewards for bugs in software vendors' products. The company uses the information to help developers secure their products. TippingPoint, now part of Hewlett-Packard, announced a similar bounty program in 2005 called the Zero Day Initiative. With ExploitHub, security researchers will not just get paid for finding vulnerabilities, but for programming reliable ways to use those flaws to hack into systems.