The value of a vulnerability by ProQuest

VIEWS: 4 PAGES: 2

The Chinese-based attacks on Google users via a vulnerability in Internet Explorer launched a recent flurry of questions about how much a vulnerability like that would be worth on the black market. As the founder of today's two leading incentive-based vulnerability programs, I could give an idea of the price it would fetch, but I don't think that really addresses the question of worth. On the black market, the above type of vulnerability discovery could fetch on average $30,000 to $40,000.

More Info
									                                                                                                               Opinion

David Endler, senior director of
security research, TippingPoint    The value of a vulnerability
T
       he Chinese-based attacks on Google users via a vulner-        mation are a warehouse of assets that can be bought, sold and
       ability in Internet Explorer launched a recent flurry of       traded in the wrong hands.
       questions about how much a vulnerability like that would         For cybercriminals, the value of a vulnerability is simple:
be worth on the black market. As the founder of today’s two          How much can they make from selling this information? And
leading incentive-based vulnerability programs, I could give         will exploitation of the vulnerability pay dividends on their
an idea of the price it would fetch, but I don’t think that really   initial investment?
addresses the question of worth. On the black market, the               For organizations, the value of such a vulnerability is calcu-
above type of vulnerability discovery could fetch on average         lated in terms of loss. For example, how much revenue can be
$30,000 to $40,000. In the legitimate public markets, that same      lost if R&D information is stolen and sold to a competitor? In
code would sell for less than $20,000.                               some cases, millions of dollars.
   For a software vendor, developing and deploying a patch for          Clearly, “worth” varies based on perspective. Programs like
a vulnerability may run to the hundreds of thousands of dollars.     the Zero Day Initiative seek to unearth these types of vulner-
However, if that vulnerability were used to exploit users and        abilities before they enter the black markets and before their
steal information, the price in lost confidence and reputation,       “worth” escalates. And for software vendors and businesses,
while harder to quantify, may be even higher.                        this ensures the value of their most valuable assets.
   Today’s corporate networks are loaded with information with
the potential to generate significant profit on the black market.      David Endler is also the chairman and founder of the industry
Employee records, financial or customer data and R&D infor-           group Voice over IP Security Alliance (VOIPSA).




                                   Cloudy and a chance of threats
                                   T
                                           he term “cloud computing” puts both           To guard against any data loss of confidential
                                           giddiness and fear in the hearts of IT     projects for data stored in the cloud, IT admin-
                                        
								
To top