Why not sell exploits?

I read on eWeek today that eBay, in response to a request by Microsoft, recently pulled an auction for an Excel vulnerability. Apparently, the auction had gotten up to all of $53 before being taken down. According to the auction description, Microsoft employees qualified for a discount by mentioning the discount code "LINUXRULZ". Very clever.

The article got me thinking… Rather than having the auction pulled, Microsoft could have actually bid on it and won, then promptly fixed the issue, thereby hopefully preventing any actual implementation of the exploit, and at the same time, portraying themselves as a pretty good sport. Then I started thinking it might be interesting for companies like Microsoft to start offering bounties for vulnerabilities in their software. That way, the exploits stay out of the hands of evil-doers and possibly the media, the "researcher" makes a little cash, and everyone’s happy. For those who search for exploits purely for the notoriety rather than the money, maybe companies could even add the researchers’ names to a special page on their corporate site with a big and humble "Thank You" next to it. Seems like in the end, it would end up costing less in R&D, and probably in PR, as well.

3 thoughts on “Why not sell exploits?

Comments are closed.