1 post • joined 18 Jan 2013
the important bit: they're not buying 0day yet
You can't really compare ZDI or Google's bounty programs with what Packetstorm is offering right now:
ZDI is buying 0day, Google is buying 0day. Packetstorm is (so far) buying not 0day, but merely more details on bugs that are no longer 0day ("0.5day or "1day").
What Packetstorm is offering to buy so far is information about bugs which are are *known* to exist, which the bad guys might have exploits for, but which the good guys don't have much information on.
More information for sysadmins and security professionals is probably a good thing, and that's been the point of the whole full-disclosure movement for the last 20 years at least.
As a side effect, getting full details on these bugs out might also depress prices in some of the underground market places, since their privately-held exploits won't stay secret as long. Using economic forces to put the squeeze on Ukrainian cyber criminals may also be a good thing (though it's difficult to predict).
That Packetstorm isn't listing 0day prices for the things they want seems reasonable, since it's not 0day.