For some security researchers who uncover flaws in leading computer programs, a nod of appreciation from software companies is no longer enough.
Now they want money.
Critics say the purity of research is in jeopardy as discoveries are shopped around instead of submitted directly to software vendors so they can quickly develop a fix.
"I don't like there being an incentive to turn this into a market," said Bruce Schneier, chief technology officer for security company BT Counterpane. "Then you create incentives for the bad guys to start finding this stuff and selling it, and if the bad guys charge more, the good guys have to charge more."
Some companies already have been offering payments for such information — hundreds or thousands of dollars depending the severity of the flaw — and a Swiss-based auction site opened this month to encourage bidding for such knowledge.
Software vendors so far have refrained from purchasing the information themselves, reluctant to encourage extortion — researchers holding out or threatening to sell to criminals unless they get the right price.
A black market has long existed for trading information about vulnerabilities in software from Microsoft Corp., Cisco Systems Inc. and other vendors of products crucial to running computers and sending data over the Internet. The information could then be used to break into systems holding credit card numbers or secretly plant spying software within a company's network.
Experts say government agencies also have been buying such knowledge — not to warn the public but potentially to break into computers for national security or criminal investigations. Charlie Miller, a former National Security Agency employee, said one agency he wouldn't name paid him $50,000 in September.
To keep up, security company iDefense, now part of VeriSign Inc., pioneered the "white hat" market for exploits about five years ago, creating the Vulnerability Contributor Program to reward legitimate researchers who submit information on flaws. TippingPoint, a unit of 3Com Corp., followed with a similar program three years later.
In both cases, the security companies buying the information then work with vendors and avoid disclosing the flaws publicly until a fix is developed. The information is valuable because the security companies can sometimes use the knowledge to protect their own customers in the interim.
Although researchers historically have shared knowledge for free, "there's been a market that has naturally evolved where this information is power," said Ken Durham, director of the rapid response team with VeriSign-iDefense. "Our concern is people would start to turn to the dark side unless they had a responsible avenue."
Terri Forslof, who runs TippingPoint's Zero Day Initiative, said programs like hers can never pay as much as the black market, but most legitimate researchers are willing to accept smaller payments knowing the buyer would handle the information responsibly.
The newly opened auction site, WabiSabiLabi, doesn't require buyers to work with vendors on a fix before disclosing the flaw. Operators of the site say they try to validate both buyers and sellers — for example, requiring copies of passports and bank account information — but many people remain skeptical.
"You potentially do not know who is buying that vulnerability," said Mark Miller, Microsoft's director of security response communications. "The potential for customer risk can be increased."
Roberto Preatoni, strategic director for WabiSabiLabi, said criminals have no need for his site because they can remain anonymous in the black market. He also said his auction functions more like eBay Inc.'s site in connecting buyer and seller, and thus questions of legal liability and disclosure are strictly between those parties.