back to article Did ZDI snub your 0-day attack? Packet Storm will buy it for $7k

Long-running computer security website Packet Storm has launched a bug bounty scheme to reward folks who find and report holes in software. Details of qualifying flaws will eventually be publicly disclosed. Under the new scheme, contributors will be typically paid anywhere between a few hundred dollars and $7,000 for exploits …


This topic is closed for new posts.
  1. nuked

    Add a zero or two and it might just work to keep zero-days above-ground.

  2. Ahmed the dead terrorist

    the important bit: they're not buying 0day yet

    You can't really compare ZDI or Google's bounty programs with what Packetstorm is offering right now:

    ZDI is buying 0day, Google is buying 0day. Packetstorm is (so far) buying not 0day, but merely more details on bugs that are no longer 0day ("0.5day or "1day").

    What Packetstorm is offering to buy so far is information about bugs which are are *known* to exist, which the bad guys might have exploits for, but which the good guys don't have much information on.

    More information for sysadmins and security professionals is probably a good thing, and that's been the point of the whole full-disclosure movement for the last 20 years at least.

    As a side effect, getting full details on these bugs out might also depress prices in some of the underground market places, since their privately-held exploits won't stay secret as long. Using economic forces to put the squeeze on Ukrainian cyber criminals may also be a good thing (though it's difficult to predict).

    That Packetstorm isn't listing 0day prices for the things they want seems reasonable, since it's not 0day.

  3. koolholio

    TippingPoint is by no means 'inpenetrable'... you could liken it somewhat to its 'snort signatures'

    Sophisticatedly simple attacks rarely get noticed or even bothered about... Whats the most damage they can cause?

    Day later: Oh... that damage!

This topic is closed for new posts.