RE: Trend Micro's Vista "0day exploit auction" claim

From: Chris Poulter (Chris.Poulter@uniqueworld.net)
Date: Tue Dec 19 2006 - 18:54:18 EST

• Next message: Sels, Roger: "RE: Trend Micro's Vista "0day exploit auction" claim"
• Previous message: Cody Tubbs: "Re: Trend Micro's Vista "0day exploit auction" claim"
• In reply to: Cody Tubbs: "Re: Trend Micro's Vista "0day exploit auction" claim"
• Next in thread: Sels, Roger: "RE: Trend Micro's Vista "0day exploit auction" claim"
• Reply: Sels, Roger: "RE: Trend Micro's Vista "0day exploit auction" claim"
• Reply: Cody Tubbs: "Re: Trend Micro's Vista "0day exploit auction" claim"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

50k per vulnerability opposed to hundreds (unlikely) 60-100k/year
(unlikely) - the Q/A's might only get 40-50k/year, a security
vulnerability technician would be the one getting paid the big bucks,
but there wouldn't be "hundreds" of them? - how do you work that one out
to be more feasible?

Considering everyone is presuming there will be lots of exploits,
50k/exploit will equate to a much larger payout....

And exploit the exploiters? - how do you figure this one as well?
Someone getting paid 50k/exploit is far more beneficial to the
"exploiter" than getting nothing and just sharing the love....where MS
would lose out more if this happened and leave them more exposed...

I'm not arguing for either side of the case as I haven't looked into it
enough to make my own judgment, but I don't think your assessment is
accurate...

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Cody Tubbs
Sent: Wednesday, December 20, 2006 10:40 AM
To: Radu Oprisan
Cc: pen-test@securityfocus.com
Subject: Re: Trend Micro's Vista "0day exploit auction" claim

It's cheaper to pay kids 50k for actually finding flaws, rather than
paying hundreds of QA engineers 60-100k a pop to spend months finding
nothing. Another reason M$ sucks, exploit the exploiters.

-Cody Tubbs

Radu Oprisan wrote:
> Ryan Meyer wrote:
>
>> A number of popular tech news sources are reporting Trend Micro's
CTO,
>> Raimund Genes, publicly claiming that there are "auctions" for
zero-day
>> Windows Vista exploits. Further, he claims these auctions are
fetching
>> approx $50,000.
>>
>> Could anyone verify Trend Micro's claim?
>>
>
>
>> It seems dubious, at best, to me and possibly nothing more than pure
FUD.
>>
>> Sorry to get off topic.
>>
>> Ryan Meyer
>>
>
> This could also be some covert way for microsoft to find their own
> vulnerabilities. That has happened before.
>
>

• Next message: Sels, Roger: "RE: Trend Micro's Vista "0day exploit auction" claim"
• Previous message: Cody Tubbs: "Re: Trend Micro's Vista "0day exploit auction" claim"
• In reply to: Cody Tubbs: "Re: Trend Micro's Vista "0day exploit auction" claim"
• Next in thread: Sels, Roger: "RE: Trend Micro's Vista "0day exploit auction" claim"
• Reply: Sels, Roger: "RE: Trend Micro's Vista "0day exploit auction" claim"
• Reply: Cody Tubbs: "Re: Trend Micro's Vista "0day exploit auction" claim"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:28 EDT