The Vulnerability Market Place
It sure was a matter of time until a major newspaper (Brad Stone for the New York Times) would pick up on the subject of trading vulnerabilities (article). Specifically selling vulnerabilities to companies, which provide some kind of a service around it.
On a recent blog post at Matasano (iDefense Underbids on Vista Vulnerabilities) I commented that: “No one guaranties the so-called 0-day is really is 0-day. The seller could have used it before, or sold it before, and still the knowledge of the existence of this vulnerability/exploit is not widely known”.
Theoretically speaking one can sell a vulnerability to multiple parties, and/or abuse it for other needs, without the buyer knowing that.
The market place for vulnerabilities does bring up interesting legal, and ethical questions regarding the actions of those companies who are buying these vulnerabilities and the source(s) they are buying these from.