1 post • joined 18 Jan 2013
the important bit: they're not buying 0day yet
You can't really compare ZDI or Google's bounty programs with what Packetstorm is offering right now:
ZDI is buying 0day, Google is buying 0day. Packetstorm is (so far) buying not 0day, but merely more details on bugs that are no longer 0day ("0.5day or "1day").
What Packetstorm is offering to buy so far is information about bugs which are are *known* to exist, which the bad guys might have exploits for, but which the good guys don't have much information on.
More information for sysadmins and security professionals is probably a good thing, and that's been the point of the whole full-disclosure movement for the last 20 years at least.
As a side effect, getting full details on these bugs out might also depress prices in some of the underground market places, since their privately-held exploits won't stay secret as long. Using economic forces to put the squeeze on Ukrainian cyber criminals may also be a good thing (though it's difficult to predict).
That Packetstorm isn't listing 0day prices for the things they want seems reasonable, since it's not 0day.
- +Comment Trips to Mars may be OFF: The SUN has changed in a way we've NEVER SEEN
- OnePlus One cut-price Android phone on sale to all... for 1 HOUR
- MARS NEEDS WOMEN, claims NASA pseudo 'naut: They eat less
- Back to the ... drawing board: 'Hoverboard' will disappoint Marty McFly wannabes
- Vid Google opens new Inbox – email for people too dumb to use email