Discovering Security Bugs for Fun and Profit

Security vendors, anxious to get the advance word on potential holes in their commercial software products, are compensating researchers and other third parties in cash for exploits that they discover, according to CMP Technologies' Dark Reading Website.

Transactions between software vendors and legitimate researchers can run between $2,000 and $10,000, while black market transactions -- using exploits such as tools for worms, phishing, and other malware can reportedly soar as high as $30,000 for these ‘weaponized exploits.’

Even the more legitimate finder's fees are not without controversy. Security vendor iDefense raised eyebrows earlier this year by sponsoring a contest where the company paid $10,000 for remote Windows vulnerabilities.

Should vendors and researchers be paying for bugs? It's an ethical quandary. Some say the practice makes systems safer and more secure; others say profit is causing the creation of a market that creates more vulnerabilities.

And the market is volatile: Bidding wars have been witnessed as vendors seek to be the first to market with a patch for an emerging vulnerability.

Not all researchers sell their bugs, however, and not all security firms will buy them, Dark Reading reports. EEye Digital Security, for instance, hires its own bug hunters and doesn't buy or sell what it finds.