Not all researchers are comfortable with the ethics of selling the zero-day vulnerabilities they've discovered to governments and offensive security companies. But those who do seek profit beyond that of a traditional bug bounty reward will require a fair share of business savvy to seal the deal, according to former vulnerability broker Maor Shwartz, in a Black Hat presentation yesterday that offered a unique inside glimpse into the zero-day economy.
Shwartz's vulnerability brokerage firm, Q-recon, closed down last year, yet he still offers free business guidance to researchers. In that spirit, Shwartz offered conference attendees a series of tips on how to properly close a transaction while avoiding damaging one's reputation when selling a zero-day.
Many of his key recommendations revolved around maintaining a trustful relationship with buyers. For example, researchers who discover a quality vulnerability should be honest if the corresponding exploit they developed needs improvement. "If you have this beautiful vulnerability, but the exploit is the problem, please tell them [the buyer] because it will literally save the deal," said Swartz. "Once they understand that, they will be willing to pay you the full amount or reduce a little bit. Just because the exploit isn't good enough doesn't mean the vulnerability" isn't good enough, he continued.
Please register to continue.
Already registered? Log in.
Once you register, you'll receive:
The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.
Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.
SC Media’s essential morning briefing for cybersecurity professionals.
One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.