Hackers Out-pay Corporations for Security Flaw Details: Report

A new survey appears to confirm what most would suspect: people who discover security flaws make more money selling the details to criminals than to legitimate security companies.

Research firm "Unsecurity" has carried out a survey of people who have discovered zero-day vulnerabilities and them sold them to security companies that then use the data to improve their products.

Zero-day vulnerabilities occur when the original software manufacturer is unaware of a security risk in a software program. The name comes from the idea that once the manufacturer discovers the problem, there's a race between the manufacturer trying to find a solution and hackers trying to find a way to take advantage of the issue before the solution has been released to the public.

Security Firms Fill Gray Area

The security firms covered by the survey are in somewhat of a gray area. On the one hand, they don't in any way seek to exploit the vulnerabilities in order to hack computers. On the other hand, they will sometimes try to develop their own solution before informing the software manufacturer.

While that's not illegal at all, many people believe anyone who knows of a problem should immediately tell the manufacturer in order to minimize the risk: a view supported by manufacturers.

Those who do discover security flaws have two choices: they can tell the manufacturer directly, or they can sell the details to underground hackers, a potentially lucrative route that can earn six-figure sums for the right combination of dangerous flaws in a widely-used application. (Source: about.com)

$10K Paydays a Rarity

According to the Unsecurity report, the third option of selling to security firms is something of an unsatisfying bridge between the other two routes. It doesn't give the moral satisfaction of helping out the manufacturer, but it doesn't give the hefty rewards of selling to hackers. With virtually every firm mentioned by respondents, the most common price category was nothing up to $1,000, while the vast majority of payoffs were under $10,000. (Source: unsecurityresearch.com)

There are some caveats to the study. One is that the sample size for the survey group appears to have been very small. Another is that sellers may be persuaded to keep quiet about large payoffs by security firms which don't want market prices driven up.

It's also important to note that payoffs from hackers are less reliable: in such a case, it's very unlikely a hacker would complain to the Better Business Bureau if he got 'stiffed' on such a deal, for example.