2

From a business standpoint, how would you express the need for a vulnerability research team?

In the end, would it be infeasible from a business standpoint unless said business chalked it up as a marketing cost (to promote other services) or sold the vulns?

SCENARIO

Imagine working at a fortune 500 company that provides infosec products and has multiple clients.

Every time there's a new CVE out, they create snort rules and implement them.

AFAIK the only selling point would literally be selling any vulnerabilities found and using the rest as internal advisories (like Cisco Talos).

However, with opportunity cost it would be cheaper for the researchers to bughunt on their own time. For example, if fuzzing for an OSX/iOS vuln, it would be cheaper to do it in one's spare time and get the full X amount, rather than a lesser amount in salary and maybe 20-50% of the value of the vulnerability as a bonus.

grepNstepN
  • 610
  • 4
  • 15
  • What's a high value bug worth these days? 30K for a high-value RCE? You'd need to find a lot of high value bugs to make an entire team justifiable. – DKNUCKLES Mar 23 '17 at 14:38
  • a high value bug is worth nothing in the hands of those with poor negotiation. informational asymmetry plagues vulnerability research. so you need to know yourself, your market and your re-seller to gain appropriate profit – grepNstepN Mar 23 '17 at 20:53

1 Answers1

1

Seeing as you work at an infosec company, one word; prestige. Blog posts about discovered vulnerabilities are gold in the sphere of commercial information security.

The root cause analysis gives the company the ability to showcase their expertise in one of the most respected areas of the field. Also, as someone who has found a few inconsequential CVE's, I'm inclined to say they work wonders for the credibility of the finder when it comes to approaching customers. If a restriction is that vulnerabilities found on company time must be disclosed under the company name, it will provide invaluable proof your company is on the frontier. For a Fortune 500 this is highly desirable, and others are doing it too. Businesswise the impact of the CVE is not that important; the people that hire you might know what a CVE is, but they're ususally not the type to say "oh this is just small game". So throw some obscure debian package into AFL, some obscure media format into Peach, hone your gdb/WinDbg skills and make a name for yourself.

J.A.K.
  • 4,793
  • 13
  • 30