The developing market in exploitable software bugs — with both white hats and black hats participating: A Lively Market, Legal and Not, for Software Bugs
Companies like Microsoft do not endorse such bounty programs, but they have even bigger problems: the willingness of Internet criminals to spend large sums for early knowledge of software flaws that could provide an opening for identity-theft schemes and spam attacks.
The Japanese security firm Trend Micro said in December that it had found a Vista flaw for sale on a Romanian Web forum for $50,000. Security experts say that the price is plausible, and that they regularly see hackers on public bulletin boards or private online chat rooms trying to sell the holes they have discovered, and the coding to exploit them.
Especially prized are so-called zero-day exploits, bits of disruption coding that spread immediately because there is no known defense.
Software vendors have traditionally asked security researchers to alert them first when they find bugs in their software, so that they could issue a fix, or patch, and protect the general public. But now researchers contend that their time and effort are worth much more.
â€œTo find a vulnerability, you have to do a lot of hard work,â€ said Evgeny Legerov, founder of a small security firm, Gleg Ltd., in Moscow. â€œIf you follow what they call responsible disclosure, in most cases all you receive is an ordinary thank you or sometimes nothing at all.â€