Vulnerability Purchasing
Posted by jericho
Several years ago, iDefense started purchasing vulnerabilities from freelance researchers, and created its Vulnerability Contributor Program. Find a vulnerability, disclose it to iDefense under mutual NDA, and they would act as a mediator between you and the vendor for disclosure. After a patch was available, iDefense releases an advisory and pays you. Ignoring the fact that they would sit on the information for up to a year before disclosing it to the vendor, this program rewarded people for finding and disclosing vulnerabilities.
Months back, David Endler left iDefense to join Tipping Point, a division of 3Com. Shortly after, TP announced its “zero day initiative”. Like iDefense, the ZDI would pay for vulnerabilities, but also created a ‘loyalty’ program for continuing to disclose vulnerabilties through them (wonder if they give out keychain thingies like my grocery store does?).
Now, Digital Armaments is also offering a “pay for vuln” program. Instead of just offering cash for 0-day, they also offer trade-in credit so you can receive other 0-day in return for your own. This deviates off the path of “responsible disclosure” (questionable under the other two models) quite a bit.