From: "Rich Gauszka" 

"The value of the vulnerability is determined by the amount of time
that the vulnerability can be used to get a return on investment before it
is patched," Foslof said. "If I'm paying $50,000 for a
vulnerability, what am I doing with it? I'm likely not trying to get it
patched."

http://www.securityfocus.com/news/11468
Two years ago, Charles Miller found a remotely exploitable flaw in a common
component of the Linux operating system, and as many enterprising
vulnerability researchers are doing today, he decided to sell the
information.

Having recently left the National Security Agency, the security
professional decided to try his hand at selling the bug to the U.S.
government. In a paper due to be presented next week at the Workshop on the
Economics of Information Security, Miller - now a principal security
analyst at Independent Security Evaluators - writes about the experience
and analyzes the market for security vulnerabilities.

 In the case of the Linux flaw, one agency offered him $10,000, while a
second told him to name a price. When he said $80,000, his contact quickly agreed.
"The government official said he was not allowed to name a price, but
that I should make an offer," Miller told SecurityFocus. "And
when I did, he said OK, and I thought, 'Oh man, I could have gotten a lot
more.'"

The sale underscores a significant problem for vulnerabilities researchers
that attempt to sell a flaw: Determining the value of the information. In
addition, time is a major factor: Miller felt pressured to complete the
deal, because if anyone else found and disclosed the flaw, its value would
plummet to zero. In a second attempted sale outlined in the paper, the
disclosure clock ran out for Miller as he tried to sell a PowerPoint flaw
that Microsoft patched this past February before the researcher could close
the deal.

"The value of the vulnerability is determined by the amount of time
that the vulnerability can be used to get a return on investment before it
is patched," Foslof said. "If I'm paying $50,000 for a
vulnerability, what am I doing with it? I'm likely not trying to get it
patched."

Miller's paper comes as sales of vulnerability information are becoming
more common. Driven by researchers' reluctance to give away hard-won
information for free and the standardization on flaw bounties through
initiatives such as iDefense's Vulnerability Contributor Program and 3Com's
Zero-Day Initiative, flaw finders are increasingly trying to get paid for
their work.

Miller found out that selling a flaw for a fair price is difficult. While
the unnamed government agency offered the researcher $80,000, they placed a
condition on the sale that the exploit would have to work against a
particular flavor of Linux. Two weeks later and worried that the flaw might
be found, Miller accepted a lesser offer from the same group for $50,000
for the exploit as is.

"While I was paid, it wasn't a full success," he wrote in the
paper (PDF). "First, I had no way to know the fair market value for
this exploit. I may have been off by a factor of ten or more."

Moreover, Miller had contacts in the government, but could not initially
find the right people with which to deal. So, he offer a 10 percent cut to
a friend who had better contacts. Other researchers might not be able to
find the right contacts to complete similar deals.

"The only reason this sale happened at all was because of personal
contacts I had, which should not be necessary for a security researcher who
wants to make a living," he wrote in the paper.

--- BBBS/NT v4.01 Flag-5