View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
January 19, 2006

Vulnerability report with ‘your ad here’

A small security research firm is planning to include advertising in its next security vulnerability report as a means to compensate the vulnerability's finder.

By CBR Staff Writer

HexView, a two-year-old Los Angeles-based research outfit, is currently auctioning two ad slots in its next vulnerability alert, which will provide technical details of a hole in Microsoft Corp’s Excel spreadsheet software.

The company is hoping that previous media coverage of the vulnerability, which its finder has previously tried to sell on eBay and security mailing lists, will encourage advertisers to buy the space.

There is definitely a logic behind advertising a product in the vulnerability disclosure especially if that product offers remediation features, HexView’s principal researcher, Max Solonski, said in an email interview.

The other opinion is that vulnerability disclosures are commonly considered ‘a bad thing’ and it affect the image of the company that decides to put their ads in the publication, he added. The exact answer to the question is the target of our research.

While the move is believed to be unprecedented, the commercialization of vulnerability research in not a new thing. At least two organizations offer cash to researchers who find vulnerabilities in commercial software products.

iDefense, acquired by VeriSign Inc last year, has long offered bounties for zero-day vulnerabilities. Last summer, TippingPoint, a unit of 3Com Corp, launched the Zero Day Initiative with much the same business model.

The idea with those two initiatives is to be able to provide protection for paying customers days, weeks or months in advance of official patches becoming available, not to mention the publicity that comes with discovering a high-profile, high-risk bug.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

VeriSign and ZDI have policies of not publishing technical details of vulnerabilities until patches are available. HexView has a harder line, saying it will publish details of critical vulnerabilities 30 days after vendor notification, unless there is a special case for an extension.

The vulnerability in question this time was reported to Microsoft in December, and Microsoft, which is working on a patch, has reportedly verified it is real. It is said to enable malicious code execution when Excel documents are opened.

It came to light after the finder, who used the handle fearwall said he tried and failed to sell the zero-day to ZDI and iDefense. He put it up for auction on eBay, saying he would sell to anyone, good or bad, but would give Microsoft employees a 10% discount.

According to HexView, that auction saw bids up to $1,200 before eBay pulled it, though press reports put that number somewhat lower. HexView’s auction for ad space starts at $600 per slot.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.