David Endler
David Endler

The Chinese-based attacks on Google users via a vulnerability in Internet Explorer launched a recent flurry of questions about how much a vulnerability like that would be worth on the black market. As the founder of today's two leading incentive-based vulnerability programs, I could give an idea of the price it would fetch, but I don't think that really addresses the question of worth. On the black market, the above type of vulnerability discovery could fetch on average $30,000 to $40,000. In the legitimate public markets, that same code would sell for less than $20,000. 

For a software vendor, developing and deploying a patch for a vulnerability may run to the hundreds of thousands of dollars. However, if that vulnerability were used to exploit users and steal information, the price in lost confidence and reputation, while harder to quantify, may be even higher.

Today's corporate networks are loaded with information with the potential to generate significant profit on the black market. Employee records, financial or customer data and R&D information are a warehouse of assets that can be bought, sold and traded in the wrong hands.

For cybercriminals, the value of a vulnerability is simple: How much can they make from selling this information? And will exploitation of the vulnerability pay dividends on their initial investment?

For organizations, the value of such a vulnerability is calculated in terms of loss. For example, how much revenue can be lost if R&D information is stolen and sold to a competitor? In some cases, millions of dollars.

Clearly, “worth” varies based on perspective. Programs like the Zero Day Initiative seek to unearth these types of vulnerabilities before they enter the black markets and before their “worth” escalates. And for software vendors and businesses, this ensures the value of their most valuable assets.


David Endler is also the chairman and founder of the industry group Voice over IP Security Alliance (VOIPSA).