Discover Bugs for Pay

Security vendors are compensating researchers and other third parties in cash for exploits they discover, according to Dark Reading

July 24, 2006

3 Min Read
Network Computing logo

NEW YORK -- Security vendors, anxious to get the advance word on potential holes in their commercial software products, are compensating researchers and other third parties in cash for exploits they discover, according to CMP Technologies' Dark Reading (Dark Reading) Website.

Transactions between software vendors and legitimate researchers can run between $2,000 and $10,000, while black market transactions – using exploits as tools for worms, phishing, and other malware – reportedly can soar as high as $30,000 for these "weaponized exploits."

"What the two markets have in common is potential impact: The more targets a bug can hit if it's converted into an exploit and let loose in the wild, the more it pays," writes Kelly Jackson Higgins in her story, "Bucks for Bugs."

To read the full article, visit: Dark Reading.

Even the more legitimate finder's fees are not without controversy. Security vendor iDefense raised eyebrows earlier this year by sponsoring a contest where the company paid $10,000 for remote Windows vulnerabilities.

Should vendors and researchers be paying for bugs? It's an ethical quandary. Some say the practice makes systems safer and more secure; others say profit is causing the creation of a market that creates more vulnerabilities. And the market is volatile: Bidding wars have been witnessed as vendors seek to be the first to market with a patch for an emerging vulnerability.

Not all researchers sell their bugs, however, and not all security firms will buy them, Dark Reading reports. EEye Digital Security, for instance, hires its own bug hunters and doesn't buy or sell what it finds.

For more information on "Bucks for Bugs," or on Dark Reading, go to


Alix Raine
SVP Communications
CMP Technology
600 Community Drive
Manhasset, NY 11030
[email protected]

About Dark Reading
Dark Reading is the latest enterprise-focused Web publication to emerge from CMP Technology's business unit, Light Reading Inc. As the Web's only one-stop security shop, Dark Reading simplifies the challenges IT professionals face in keeping informed about the latest viruses, enterprise network security, and data privacy.

About Light Reading Inc.
Founded in 2000, Light Reading Inc. (Light Reading) is the ultimate source for technology and financial analysis of the communications industry, leading the media sector in terms of traffic, content, and reputation. It reaches an extensive audience of executives and technologists within the telecom and enterprise networking communities, as well as the financial/industry analysts and investors who track these sectors. Light Reading was acquired by United Business Media in August 2005, and operates as a unit of CMP Technology.

About CMP Technology
CMP Technology (CMP) is a marketing solutions company serving the technology industry. Through its market-leading portfolio of trusted information brands, CMP has earned the confidence of more technology professionals than any other media company. As a result, CMP is the premier provider of access, insight and actionable programs designed to connect sellers and buyers in ways that yield superior return on investment. CMP Technology is a subsidiary of United Business Media (UBM), a global provider of news distribution and specialist information services with a market capitalization of more than $3 billion.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights