Speculations over the price of exploits on the black market

In a recent interview, Matt Moynahan, the CEO of security firm Veracode, said an exploit for Adobe software is worth up to $5 million on the black market. However, more realistic estimates place prices in the region of $100,000.

It is not just since Stuxnet exploited a total of four zero-day vulnerabilities in Windows that there has been speculation about the cost of vulnerability information on the black market. However, the stiff sum of $5 million mentioned by Matt Moynahan is considered a wild exaggeration by most security experts. In a blog posting, Moynahan himself later toned down his estimated price range to between $100,000 and $500,000.

Dan Holden considers the lower end of this scale a more realistic figure. Holden is director of security research for DV Labs, an organisation which also includes the Zero Day Initiative (ZDI), familiar from the Pwn2Own contest. Talking to heise Security, Holden said that exploits for such widely used products as Adobe Reader, Internet Explorer or Windows are worth between $50,000 and $100,000 on the black market. Holden said "Demand always depends on the attackers' target. Sometimes, there is a demand for holes that are suitable for worm attacks. Other times, a small number of victims is to be infected via spear phishing". The latter goal is most likely achieved by exploiting holes in Adobe Reader or in an Office application.

Holden should know what he's talking about – after all, the ZDI itself buys security holes and is, therefore, a direct competitor to black market buyers.

(Uli Ries / ehe)