Forum Debian Users Gang

Tu masz opracowanie https://en.wikipedia.org/wiki/Market_for_zero-day_exploits

Typically the parties opposed to gray markets are the retailers of the item in the market as it damages its profits and reputation. As a result, they usually pressure the original manufacturer to adjust the official channels of distribution. The state also plays an important role enforcing penalties in the case of law infringement. However, the zero-day exploit market is atypical and the way it operates is closer to the workings of the black market. Brokers and bounty programs, which could be seen as retailers of zero-days, have no control whatsoever on the original producers of the "bad" as they are independently discovered by different, and often anonymous, actors. It is not in their interest to change the channel of distribution as they can profit from both the white and gray markets, having much less risk in the former.

States, which usually complement the labour of the original manufacturers to restrict gray markets, play a different role in the zero-day market as they are regular purchasers of exploits. Given the secretive nature of information security, it is not in their interest to disclose information on software vulnerabilities as their interest is, in this case, aligned with that of the criminals who seek to infiltrate devices and acquire information of specific targets. It can be argued that the presence of intelligence agencies as consumers of this "bad" could increase the price of zero-days even further as legitimate markets provide bargaining power to black-market sellers.[5]

Finally, private companies are unwilling to raise the prices of their rewards to those levels reached in the gray and black markets arguing that they are not sustainable for defensive markets.[15] Previous studies have shown that reward programs are more cost-effective for private firms as compared to hiring in-house security researchers,[16] but if the prize of rewards keeps increasing that might not be the case anymore.

In 2015, Zerodium, a new start-up focused on the acquisition of "high-risk vulnerabilities", announced their new bounty program. They published the formats required for vulnerability submissions, their criteria to determine prices—the popularity and complexity of the affected software, and the quality of the submitted exploit—and the prices themselves. This represents a mixture of the transparency offered by traditional vulnerability reward program and the high rewards offered in the gray and black markets.[17] Software developer companies perceived this new approach as a threat, primarily due to the fact that very high bounties could cause developer and tester employees to leave their day jobs.[15] Its effects on the market, however, are yet to be defined.

The NSA was criticized for buying up and stockpiling zero-day vulnerabilities, keeping them secret and developing mainly offensive capabilities instead of helping patch vulnerabilities.[18][19][20][21][/quote]

---

Burble, Burble, Burble ... hahaaaaaaa :D

Forum Linux Mint Polska http://forum.linuxmint.pl/