Vulnerability researchers have always extracted value out of their work, even before there was a monetary value placed on exploits. Security researchers at last week's CanSecWest conference dramatically announced their new philosophy that software vulnerabilities should no longer be given away. The movement cites the existence of a marketplace for vulnerabilities and extensive paid QA departments at large software houses as their motivation for monetizing vulnerabilities. The security community, including the media, has been acting like this is some new turn of events.
The reality is far different. Vulnerabilities have always generated value for their creator, albeit in evolving ways over the past 20 years. You are kidding yourself if you think that they were always published for truly altruistic purposes.
Back in the day, oh, lets say up until the late 90's, two economic regimes governed the vulnerability space. The gift economy consisted of researchers giving away vulnerabilities in exchange for social capital and the expectation of reciprocity from other senior researchers. This was how rock stars were made in the underground. Simultaneously, there existed a barter economy for those who valued the long-term effectiveness of exploits against target systems over the social capital that could be gained by broadcasting the vulnerability's existence. The barterers traded exploits on the underground to build personal toolkits which can be used to take down arbitrary targets on the Internet. Anyone who reads this blog should know what the informal name of these two groups were.
The late 1990's arrived, and a burst of security startups came on the scene towards the tail end of the Internet bubble. People who wrote and released exploits were hired by these firms to write and release exploits, effectively serving as raw grist for the marketing department. The researchers were able to convert their accrued social capital to a full salary with benefits. The dominating logic for the firms at the time was that money was cheap, security talent is impossible to find, and vulnerability announcements is an attention-grabbing PR scheme that can be translated into qualified leads for services and products produced by the organization.
[The group that traded exploits rather than releasing them for social capital called this act "selling out." Those of us who got jobs called it "buying in."]
The early 2000's hit, along with a severe economic crunch for our industry. Security companies experienced a wave of M&A action, and many researchers either rode the acquisition out, ran off and started consultancies, or went back to school. Paid vulnerability research was cut as the individuals behind the work were put onto making products that could be sold rather than generating news for marketing departments.
There was still value in vulnerabilities; companies like iDefense showed it is possible to supply their internal intelligence and marketing operations by buying vulnerabilities on the open market, effectively creating a free market for vulnerabilities. The top researchers continued to release their findings on their own, as they could make more money from leads for their consulting services than iDefense was able to provide for the finding.
A few years later, criminals figured out how to make money off of compromised desktop systems operating in aggregate from a central control point, using techniques ranging from sending spam to keystroke logging to DDoS for hire services. Building these networks required either new exploits or social engineering attacks, which created the underground market for new vulnerabilities. Not surprisingly, the underground market paid far higher rates for products like a zero-day vulnerability against a fully patched Windows XP system than someone could get from the legitimate malware market.
Today, the best and brightest may say "no more free bugs", but they already have the social capital required to function in our industry, and can command high consulting fees. Up and comers like Nils can go to CSW and participate in P2O, given them a means of generating social capital while still making money. However, for non-headline generating vulnerabilities, people who are fresh to the scene will still hand out minor vulns to build personal reputation, and all the while can sell their most impressive findings to botnet builders on the underground.