Paid Advertising
web application security lab

Selling Exploits for Cash

id just sent me a link to Dark Reading talking about the controversial prospect of selling exploit code for cash.  It has been something I’ve talked about in the past, and actually I was alerted to it by OptikLenz as well.  The website is called Zero Day Initiative (it has been live for about a year now).  The black market is buying “weaponized” exploits that require little to no skill for up to 2-5 times the highest asking prices of these websites.

Call me crazy, but this is a huge market place now.  Considering that Phishing is a billion dollar industry, who cares if they have to spend $50k for a remote windows exploit to help them host phishing sites?  Or $10k for a new spamming technique.  It’s a small price to pay when the ultimate gain could be tremendous for the assailant.

And do you think 3Com or Tippingpoint are doing this for the good of humanity?  No, they are reselling it via their contracts with their customers to make more money off of the exploit code.  The economics of hacking are beginning to move into the free market economy and away from the socialist free-for-all of the last decade.

3 Responses to “Selling Exploits for Cash”

  1. WhiteAcid Says:

    I recently also came across this and had a good discussion over at
    Matt Murphy from TippingPoint had some input so it’s most definately worth a read.

    I’d also like to point out that the goal of any business is to make money, you cannot penalise them for that.

  2. RSnake Says:

    Oh, I’m not chastizing them… in fact, if I were them, I’d do the same thing. I just don’t want anyone to get the false impression of what their code is going to be used for. Ultimately, I think this is a really good idea.

  3. maluc Says:

    This entry is kinda old.. but i’ll add my info anyway

    I’ve asked ZDI about whether persistant XSS or SQL injections were applicable .. they said no.