The New York Times has an interesting article on how a market exists for software bugs. If you find a new bug in any software (typically a security related issue) you can sell it on the market – either to “legal” buyers like security companies, who do it to plug the holes, or to hackers and other internet criminals who can use the knowledge for identity-theft schemes or spam attacks.
Excerpt:
The Japanese security firm Trend Micro said in December that it had found a Vista flaw for sale on a Romanian Web forum for $50,000. Security experts say that the price is plausible, and that they regularly see hackers on public bulletin boards or private online chat rooms trying to sell the holes they have discovered, and the coding to exploit them.
And also:
“To find a vulnerability, you have to do a lot of hard work,†said Evgeny Legerov, founder of a small security firm, Gleg Ltd., in Moscow. “If you follow what they call responsible disclosure, in most cases all you receive is an ordinary thank you or sometimes nothing at all.â€
Gleg sells vulnerability research to a dozen corporate customers around the world, with fees starting at $10,000 for periodic updates. Mr. Legerov says he regularly turns down the criminals who send e-mail messages offering big money for bugs they can use to spread malicious programs like spyware.