http://www.theregister.co.uk/2013/01/10/cool_exploit_kit/

With Linux you have little to fear – so far I’ve not been attacked by any adds/links here at KOS, and I’m running Windows.

Thanks for your equally cogent response. The Forbes article is not speaking of Russian (or CIS) with regards to prices, but when it comes to exploit sales, the location of the person discovering the exploit is largely irrelevant. It is true certain things have a higher price tag in “the West” but that doesn’t mean the “value” is lower or higher; often it is more a matter of your environment when it comes to who you are willing to deal with, from what I’ve seen. In fact, I’d say the “value” of an exploit is far *higher* in Russia or CIS, as a large part of ‘value’ is the ability to wring out possible uses for a thing (something we are good at).

Your idea for a ‘foundation’ of this nature is an interesting one, but ultimately it would most likely wind up a catastrophe. The matter of trust is one of many factors, but the one that likely pushes out the other contenders for most important: unless it were a single, impeccable person only dealing with all of those vendors (and if that happened, then you’d just have a power vacuum and a very big target), those bugs would just wind up passing through many peoples’ hands (having to deal with the bugs) and that would be a recipe for disaster.

The same ‘other parties’ would continue to exist and the temptations would be rife (as I’m sure would be the infiltrators). There’d be a large window of opportunity for that ‘leaking’ (i.e. selling) to occur with nothing seeming at all suspicious, too, given the fact that ‘properly’ notifying a vendor and taking things to a patch takes a long time. Money (and politics and… so on) is a corrupter. Everything leaks. It’s unfortunate, but it is true. And once that happened once, the entire project would be shot — who’d be willing to trust it?

But then this conversation devolves into human nature (something we CIS people may perhaps be more accustomed to delving into the depths of but which, nevertheless, applies to our entire species), and I’m not sure this is the proper forum for such a discussion (though I would not be opposed to having it).

It’s sad that the only alternatives for exploit hunters are “the underground”, “middle-men” that [often] sell exploits to governments and the few ISVs that pay bug bounties for vulnerabilities (Google is a prime example).

Given the financial losses that individuals, the financial industry, many other businesses/organizations and governments incur from exploits, one would think that a non-profit organization would spring up to purchase exploits, take them off the market and work with ISVs to fix the vulnerabilities targeted by the exploits. This organization, by its charter, would not provide the exploits to “the underground”, “middle-men”, governments or private industry and would pay more per exploit than “the underground” and less than the “middle-men”. For those exploit hunters that currently work with “the underground”, such an option might provide them with higher payments for their work and keep them out of trouble with their “friends”.

I am wondering if that 10mm usd plus figure the Thai are quoting is the actual loss he allegedly stole in a single act (I doubt this, for a number of reasons), or what the bank estimates is the “damage” to their systems — which tends to be more the situation in almost every case like this.