1 post • joined 18 Jan 2013
the important bit: they're not buying 0day yet
You can't really compare ZDI or Google's bounty programs with what Packetstorm is offering right now:
ZDI is buying 0day, Google is buying 0day. Packetstorm is (so far) buying not 0day, but merely more details on bugs that are no longer 0day ("0.5day or "1day").
What Packetstorm is offering to buy so far is information about bugs which are are *known* to exist, which the bad guys might have exploits for, but which the good guys don't have much information on.
More information for sysadmins and security professionals is probably a good thing, and that's been the point of the whole full-disclosure movement for the last 20 years at least.
As a side effect, getting full details on these bugs out might also depress prices in some of the underground market places, since their privately-held exploits won't stay secret as long. Using economic forces to put the squeeze on Ukrainian cyber criminals may also be a good thing (though it's difficult to predict).
That Packetstorm isn't listing 0day prices for the things they want seems reasonable, since it's not 0day.
- Product round-up Six of the best gaming keyboard and mouse combos
- Opinion So, Apple won't sell cheap kit? Prepare the iOS garden wall WRECKING BALL
- LinuxCon 2014 GitHub.io killed the distro star: Why are people so bored with the top Linux makers?
- Opinion IT blokes: would you say that LEWD comment to a man? Then don't say it to a woman
- 6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)