Bruce Schneier has written about and compiled some great info and links regarding the market for creating and selling zero-day exploits in his Crypto-Gram newsletter.
Here’s some highlights:
- Forbes published a price list for zero-day exploits.
- The more exploits are sold, the more likely it is that zero-days stay secret and unpatched.
- Criminal organizations, companies, and governments (including the NSA) pay for exploits.
- The amounts paid for zero-day exploits provide software engineers with incentives to create vulnerabilities in their code (get paid twice).
I’m working my way through all the articles that Schneier wrote or linked to, and you might find them interesting too. See it all here.
I strongly suggest you at least read these:
Cyber Weapons: The New Arms Race
I’m interested in what you think… Sound too much like scifi? Does it scare you? Do the antivirus and malware vendors detect ALL exploits or do they ignore the ones the NSA releases?