Getting a paycheck for their valuable work has been a focus of three researchers who started the group No More Free Bugs more than 18 months ago. They have their work cut out for them: In 2009, researchers were only paid for 308 vulnerabilities -- or about 5 percent -- of the more than 5,700 bugs found that year, according to data from analyst firm Frost & Sullivan. (Note: This does not include security professionals who found vulnerabilities as part of their job.)
"This is about people wanting to get paid," says Charlie Miller, a founder of the group and principal analyst with Independent Security Evaluators. "They are doing work that is hard to do, and I think they should get paid for it."
The problem for ExploitHub, says Miller, is that the value of exploits remains to be seen. The market for vulnerabilities, for example, consists of low-value sales (typically, thousands of dollars for a confirmed flaw) to the known bug bounty programs or higher-values sales ($10,000 to more than $100,000) to the gray market. Gray market buyers are generally from government programs that like to protect themselves against such vulnerabilities but could also use the flaws for espionage or other activities. Typically, showing reliable exploitation of the flaw is a requirement.
Because the bug bounty programs do not pay very well and many security experts refuse to give up their research for free, Miller suspects that a lot of vulnerabilities are going unreported.
"I have thought for a long time that you will see fewer researchers who are reporting vulnerabilities," he says. "They are more valuable now ... especially because they are harder to find."
Exploitation has become more difficult as well. Defenses such as randomized memory layouts and the ability to mark certain areas of memory as nonexecutable make reliably exploiting vulnerabilities hard.
The value in exploits for already patched flaws seems questionable, yet companies and individuals are generally far behind in patching their systems. While Windows systems are patched in about two weeks, some applications -- such as Microsoft Office and Adobe Acrobat Reader -- take far more time to get patched. Enterprise red teams -- authorized hackers who seek out vulnerable systems before the bad guys attack them -- could benefit from having a larger pool of exploits from which to choose.
However, sharp researchers can generally create their own exploits, leading Miller to question whether there will be any demand for ExploitHub.
"There are about a hundred guys who care about my exploit," he says. "I'm all for open markets ... I'm just not interested in buying exploits."
This article, "An app store where security researchers sell exploits," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.