A small security research firm is planning to include advertising in its next security vulnerability report as a means to compensate the vulnerability’s finder.
HexView, a two-year-old Los Angeles-based research outfit, is currently auctioning two ad slots in its next vulnerability alert, which will provide technical details of a hole in Microsoft Corp’s Excel spreadsheet software.
The company is hoping that previous media coverage of the vulnerability, which its finder has previously tried to sell on eBay and security mailing lists, will encourage advertisers to buy the space.
There is definitely a logic behind advertising a product in the vulnerability disclosure especially if that product offers remediation features, HexView’s principal researcher, Max Solonski, said in an email interview.
The other opinion is that vulnerability disclosures are commonly considered ‘a bad thing’ and it affect the image of the company that decides to put their ads in the publication, he added. The exact answer to the question is the target of our research.
While the move is believed to be unprecedented, the commercialization of vulnerability research in not a new thing. At least two organizations offer cash to researchers who find vulnerabilities in commercial software products.
iDefense, acquired by VeriSign Inc last year, has long offered bounties for zero-day vulnerabilities. Last summer, TippingPoint, a unit of 3Com Corp, launched the Zero Day Initiative with much the same business model.
The idea with those two initiatives is to be able to provide protection for paying customers days, weeks or months in advance of official patches becoming available, not to mention the publicity that comes with discovering a high-profile, high-risk bug.
VeriSign and ZDI have policies of not publishing technical details of vulnerabilities until patches are available. HexView has a harder line, saying it will publish details of critical vulnerabilities 30 days after vendor notification, unless there is a special case for an extension.
The vulnerability in question this time was reported to Microsoft in December, and Microsoft, which is working on a patch, has reportedly verified it is real. It is said to enable malicious code execution when Excel documents are opened.
It came to light after the finder, who used the handle fearwall said he tried and failed to sell the zero-day to ZDI and iDefense. He put it up for auction on eBay, saying he would sell to anyone, good or bad, but would give Microsoft employees a 10% discount.
According to HexView, that auction saw bids up to $1,200 before eBay pulled it, though press reports put that number somewhat lower. HexView’s auction for ad space starts at $600 per slot.