But “over the past five years, fame seekers have disappeared,” said David Perry, global director of education at Trend Micro. “The people who are drawn there to make a living are not the same people who were drawn there out of passion.”
In 2002, iDefense Labs became one of the first companies to pay for software flaws, offering just a few hundred dollars for a vulnerability. He administered the program quietly for a few years, then responded to early criticism by claiming that he was airing these bugs and notifying software makers, along with customers, before announcing them to the general public.
“We give vendors ample time to respond and then try to release them responsibly,” said Jim Melnick, director of threat intelligence at iDefense.
In 2005, TippingPoint, a division of networking giant 3Com, joined iDefense in the nascent market with its “Zero-Day Initiative” program, which last year bought and sold 82 software vulnerabilities. IDefense said its independent researchers discovered 305 flaws in commonly used software in 2006 – up from 180 in 2005 – and paid $1,000 to $10,000 for each, depending on the severity.
Security researchers warmed to the idea that vulnerabilities were worth real money. In December 2005, a hacker calling himself “Fearwall” tried to sell on eBay a program to disrupt computers via Microsoft’s Excel spreadsheet. Bids reached a paltry $53 before the auction site pulled it back.
Nevertheless, several Internet attacks in the months that followed exploited flaws in Excel, suggesting to security experts that its creator had finally found other ways to sell it.
In January 2006, a Moscow-based security firm, Kaspersky Labs, found more evidence of an emerging market for software bugs. Russian hacking gangs, he revealed at the time, had sold a “zero-day” program intended for Microsoft’s graphics file format, Windows Metafile or WMF. The price: $4,000.