The (in)security black market

A very interesting news appeared on 9th December eWeek: a guy discovered a new vulnerability in Microsoft Excel, developed an exploit (a so called 0day code) and started an auction on eBay to sell it.


From a starting price of 1 cent 19 potential buyers raised it to 60 dollars, until eBay removed the item (More on the auction chronology here).
Obviously this behavior is contrary to any ethical action a bug hunter should take.

The price reached only 60 dollars for 2 good reasons:

• This was the first time someone tried to sell an exploit in this way (at least in a public, wide-known auction system) so few potential buyers were at the right place at the right moment


• eBay removed the item in few hours

This doesn't mean this selling technique was never used before.

In underground channels is usual to sell and buy 0day exploits and pricing are much higher than 60 dollars.
This market is mostly undiscovered since 99.9% of these exploits is used for other, more serious things that creating worms (the only thing world press seems to be interested in).

This event should put in lights the world (in)security underground market, on a side eventually grabbing authorities and large public attention, on the other side eventually accelerating the growth (crakers never thought about this opportunity could start considering this method to raise money very fast).