How much is a vulnerability worth?

2021-01-25 05:00

The fourth vulnerability was quite interesting, since it re-appeared at the start of the pandemic when Zoom was under increased usage.

Two years later I received a message saying the vulnerability had been fixed, and could I spend my free time checking whether the fix was good?

At the height of the pandemic, exploits for Zoom zero-day vulnerabilities were reportedly being offered for sale for $500,000 and companies like Zerodium frequently traffic in these kinds of vulnerabilities in the "Grey market" vulnerability marketplaces.

While an often heard argument is that the bug reward offsets the monetary impact the eventual vulnerability exploitation would cause, the counter to that is that if a shift-left approach is taken, the offset is multiplied by a factor of ten.

If your SAST or application security engineers or even your code reviews spot ten of these vulnerabilities before going live, you've also mitigated the additional cost of refactoring code and pushing a single build to fix a single vulnerability.

When deciding how much to pay for a vulnerability, if the question becomes "Is this too much for a vulnerability?", you should instead ask yourself whether you are "Shifting left" enough.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/o1J85e6SA6Q/

#vulnerability