Add a zero or two and it might just work to keep zero-days above-ground.
Long-running computer security website Packet Storm has launched a bug bounty scheme to reward folks who find and report holes in software. Details of qualifying flaws will eventually be publicly disclosed. Under the new scheme, contributors will be typically paid anywhere between a few hundred dollars and $7,000 for exploits …
Friday 18th January 2013 19:28 GMT Ahmed the dead terrorist
the important bit: they're not buying 0day yet
You can't really compare ZDI or Google's bounty programs with what Packetstorm is offering right now:
ZDI is buying 0day, Google is buying 0day. Packetstorm is (so far) buying not 0day, but merely more details on bugs that are no longer 0day ("0.5day or "1day").
What Packetstorm is offering to buy so far is information about bugs which are are *known* to exist, which the bad guys might have exploits for, but which the good guys don't have much information on.
More information for sysadmins and security professionals is probably a good thing, and that's been the point of the whole full-disclosure movement for the last 20 years at least.
As a side effect, getting full details on these bugs out might also depress prices in some of the underground market places, since their privately-held exploits won't stay secret as long. Using economic forces to put the squeeze on Ukrainian cyber criminals may also be a good thing (though it's difficult to predict).
That Packetstorm isn't listing 0day prices for the things they want seems reasonable, since it's not 0day.