As reported by eWeek Magazine's Security Watch by Ryan Naraine:

http://securitywatch.eweek.com/exploits_and_attacks/20000_bounty_placed_on_windows_flaws_exploits_1.html

a company named Digital Armaments with little known about who they are or what they do is offering large sums of money for exploit code. This is not the first time or the first company to do it either.

So they question to the community is... do you think this is a legitimate research project or simply a malware company paying for a way to deliver their malware? If the latterm than maybe $20,000 is merely a drop in the bucket compared to what they could make. So will we soon see much higher prices?

Even if it ends up being for an illegitimate use, would you do it? Would this be like a gun manufacturer saying that they don't kill people, their customers do?

Throw in your comments,
Don

I don't really know what I think about selling exploits since there are strong cases for and against it.  But I came across  a website a while back that you can literally bid on exploits basically like eBay.  Check out the link below:

http://www.wslabi.com

Like don said his example was not the first time something like this happened.  While the site seems to have ethical intentions this could potentially be dangerous.  All in all I don't think selling exploits to someone based on the fact that they say it will be used ethically is as simple as it sounds.  It seems to me that providing someone who has not verified their identity to you is not necessarily unethical but goes against common sense.

well i thought the reason for these idefense type places was that they already have a relationship with the vendors and can make sure those things, like ensuring a patch is released before the exploit are done.

of course, you have to now count on that company to do that and not them stockpiling 0day.

I agree with the feeling of wanting it to be totally ethical and above the board, but I also see the viewpoint of the exploit researcher... he wants to get something out of the whole thing.  If someone is putting in thousands of hours to find an exploit, his/her getting some money for it is not a far stretch.  I do agree that we want this to be an ethical disclosure of the exploit, but having a system set up where exploits can be bid on does encourage vendors to help support the 'testers' that are out there finding bugs in their software.  I would say... that perhaps it would be a good thing to have a system that discloses to the vendor the exploit, as soon as the exploit is sold through the bidding process.  That brings to question though whether or not that would just encourage Vendors not to check their software as well if they knew the 0day exploits would come to them for free.  Perhaps part of the system being where the vendors to receive the exploit, they would have to pay into the system themselves.  To support the site etc...  I guess what I'm actually suggesting here is a business model more than a reply to this post, hmm.

Unfortunately I think you nailed it there Chris.  Unless vendors have to pay to get something out of it, they're not going to pay at all.  Kind of a vendor 'buy in' to get access to exploits as they are auctioned off though, seems like a decent idea to me.  We live in a world that is by and large motivated by self interest, and gain.  If we had the idealistic utopitarian society where people did thousands of hours of research just to be helpful, or where vendors paid into research grants to help further the cause.... well in that world we probably wouldn't have to worry about the exploits in the first place.  We don't quite live in a dystopia persay, but rather a capitolistic medium between the two.  I think vendors need to have access to research about their products, but I also think they need to pay to help support these 'testers'. 

i'd guess if its govt sponsored they'd want the exploit code, i'm sure there will some people that wouldnt feel any better about uncle sam stockpiling 0day either

That sadly is the price of funding. Can I draw my analogy out even further by comparing this to large multinational drug companies funding research? Probably not. Either way I wouldn't trust them with my sploits.
</flogDeadHorse>

Jimbob

Do you think the source of the funding would possibly influence the results of the research?

As for my two cents on the larger picture: there is nothing wrong with being paid to research and find exploits after all, some of us work at hacking into systems and get paid for it. It is how the product is ultimately used that makes it wrong. Let’s take the gun example. There is nothing dangerous about a gun by itself. Add ammo and someone with no experience and we start building a recipe for disaster. Now what does this persone do with the gun? Does he use it to stave off a burglary of his home or does he rob a bank? The gun just like an exploit is nothing more than a tool. It is how the tool is sued that makes it unethical.

But that is just my two cents.