We’re talking about bounties for “zero day vulns” with no guarantee or knowledge of how those vulnerabilities are going to be used. Tipping Point and iDefence are clearly able to fund their bounties – and somehow I doubt that they’re doing it by immediately releasing the vulnerabilities that they buy.

To quote from the iDefence website:

Our Vulnerability Contributor Program (VCP) compensates individuals who provide us with advance notification of unpublished vulnerabilities and/or exploit code.

That’s advance notice – and note that there’s no comment about the use of the vulnerabilities. If I were in that market, it’d be a fine sight better economics to turn around and sell that vulnerability to a select list of well heeled clients, rather than using it for “research” and “product improvement”, and then releasing it.

Further, you’re a number of years out of date if you think that “the bad guys” aren’t already researching and using vulnerabilites discretely for targeted attacks. A recent Washington Post article about crackers using spyware to earn money from advertisers is quite clear about that link.

The bad guys in recent years have come into lots of money. They can afford to research their own vulnerabilities. It won’t be long before they use them discretely for targeted attacks. Gone will be the days of massively spreading worms that announce the vulnerability so effectively.

1. Packaging. Consider big vulnerabilities vs. small. Ok, so they pay more for a big vulnerability than a small one, because it can cause more damage, and it demands more attention to fix. So if I save up ten smaller vulnerabilities and release them all at the same time, that creates much more of a headache for the response team at M$. You can make the vulnerabilities yourself, or you can buy individual vulnerabilities, package them up, and release them in bursts, to cause maximum headache. Then some other poor sod has to buy the bundle to turn it back into a trickle. My point here is that commoditisation of an evil object (“the vulnerability) creates new purely economic ways to be evil, just by manipulating these objects. And so the total amount of evilness gets magnified.

2. The Secret Police. Ok so in these vulnerability companies we have organisations that hoard dirt on other people — like the secret police. So what if they get hacked? What potential fallout could there be? On the other hand, what if they get too powerful?

3. “Legal Blackmail”. This is twisted, but it seems to follow to me, that if you make it your business to pay for vulnerabilities, you should offer a price on any vulnerability, depending on it’s value to you — how much money you can make out of re-selling it, or fixing it first. So how much would TippingPoint pay for a vulnerability in iDefense’s fast patching software? Furthermore, seeing as iDefense explicitly pays for vulnerabilities, why not sell them their own vulnerability? In any other circumstances this would be blackmail, but they can hardly complain.