Vulnerability pimp tries extortion, settles for “fame.”
What’s wrong with this picture?
DeMott, who runs Rockford, Mich.-based VDA Labs with his partner Justin Seitz, said he called LinkedIn to either sell the bug or offer his company’s consulting services, like he does for any vendor impacted by a vulnerability discovered by DeMott or Seitz.
VDA Labs charges about $175 to $200 an hour for consulting and usually about $5,000 to purchase a significant zero-day flaw, DeMott said.
There’s just no pretense at all about looking out for the interests of users or vendors here. Just himself and his wallet.
DeMott said he never sells vulnerabilities to non-U.S. or criminal buyers, nor does he do business with such bounty programs as VeriSign iDefense Labs and TippingPoint Zero Day Initiative over worries they might keep the vulnerability details, even if they reject the discoverer’s findings.
In other words, he’s afraid they’ll use his “intellectual property” and ruin his own chances of making money off it.
“I see both sides of it,” he admitted “But I also see that as a researcher, I work hard days and nights to find these bugs. I think we deserve some compensation.”
Without getting too Lindstromian (Lindstromesque?), who asked you to look for them??
Posted by shrdlu on Wednesday, July 25, 2007
(13) Comments • Permalink •
