David Endler, senior director of
security research, TippingPoint The value of a vulnerability
he Chinese-based attacks on Google users via a vulner- mation are a warehouse of assets that can be bought, sold and
ability in Internet Explorer launched a recent ﬂurry of traded in the wrong hands.
questions about how much a vulnerability like that would For cybercriminals, the value of a vulnerability is simple:
be worth on the black market. As the founder of today’s two How much can they make from selling this information? And
leading incentive-based vulnerability programs, I could give will exploitation of the vulnerability pay dividends on their
an idea of the price it would fetch, but I don’t think that really initial investment?
addresses the question of worth. On the black market, the For organizations, the value of such a vulnerability is calcu-
above type of vulnerability discovery could fetch on average lated in terms of loss. For example, how much revenue can be
$30,000 to $40,000. In the legitimate public markets, that same lost if R&D information is stolen and sold to a competitor? In
code would sell for less than $20,000. some cases, millions of dollars.
For a software vendor, developing and deploying a patch for Clearly, “worth” varies based on perspective. Programs like
a vulnerability may run to the hundreds of thousands of dollars. the Zero Day Initiative seek to unearth these types of vulner-
However, if that vulnerability were used to exploit users and abilities before they enter the black markets and before their
steal information, the price in lost conﬁdence and reputation, “worth” escalates. And for software vendors and businesses,
while harder to quantify, may be even higher. this ensures the value of their most valuable assets.
Today’s corporate networks are loaded with information with
the potential to generate signiﬁcant proﬁt on the black market. David Endler is also the chairman and founder of the industry
Employee records, ﬁnancial or customer data and R&D infor- group Voice over IP Security Alliance (VOIPSA).
Cloudy and a chance of threats
he term “cloud computing” puts both To guard against any data loss of conﬁdential
giddiness and fear in the hearts of IT projects for data stored in the cloud, IT admin-