Vulnerability Alerts
SANS
 
Microsoft
 
CERT/CC
 
 
Latest Comments
"trend is good antivirus software."
on Trend Micro OfficeScan Client/Server Edition
by jack | Dec 3, 2008 7:02 AM
 
"I feel it with you guys. These irritating interruptions on privacy MUST be stopped. It is a ..."
on Yahoo and Microsoft take aim at lottery scams
by Jan Wilmans | Dec 2, 2008 7:11 PM
 
"My AVG WILL NOT UPDATE"
on AVG update deletes critical Windows file
by James Downs | Dec 2, 2008 5:58 AM
 
"Concerned man's comments seem to intimate that if I'm using agents all will be well but the ..."
on Shavlik Technologies to broaden its patch management offerings
by Werner K | Nov 26, 2008 8:36 PM
 
"That will enhance Microsoft Office system, including SharePoint - good platform for enterprise ..."
on Companies have security to consider with in-the-cloud Office
by SGE | Nov 25, 2008 3:29 PM
Application Flaws

Researcher wants cash for flaws

  • Email a Friend
  • Print Page
Related Articles
By Iain Thomson
Aug 14, 2008 10:17 AM | 2 Comments
Tags: Researcher | wants | cash | for | flaws
A security researcher is trying to garner funds to set up his own company by charging for details of software flaws.

Adam Gowdiak says he has identified flaws in Java Nokia's Series 40 phone operating system and built two exploits that could be to subvert systems running the code. He is asking Nokia and Sun for €20,000 (A$34,000) to see his proof and amend the flaws, but has not ruled out selling it to third parties.

“We plan to deal with professional and serious companies from the security, telecommunication, anti-virus and government industries. Thus, we will not fulfil every single party's request for early access to our research material,” he says on his site.

“We can't do anything about the leak occurring at one of these companies. In case of a leak, we will immediately inform the public about its occurrence.”

Gowdiak claims in the forward to his paper that the flaws would allow a hacker to control certain functions of a mobile phone running Nokia’s Series 40 operating system just by knowing the phone number the phone is using.

Once into the phone it could be programmed to call high cost phone services or send duplicate copies of SMS’ or even turn the phone into a sound recorder.

The move is a break from standard security research, where vendors are informed of any flaws and researchers make their money from consultancy. Gowdiak says that would not give him the freedom to do the research he wants but that he had given the companies a brief update on the flaws.

“If one takes into account that experienced and skilled 3rd parties charge between US$200-250 per hour for security evaluation services, €20, 000 ($A34,0000) is equal to 3-4 weeks of work. So, you get the 6 months of work for the price of one month,” he says.

Copyright © 2008 vnunet.com

 
Ads by Google
Thoughts on this article? Add a comment below.
Comments: 2
Either the good guys buy it or the bad guys buy it...the good guys shouldn't complain about paying for obtaining and having exclusive rights to such valuable information!
SC Magazine - comments icon Posted by coderAug 14, 2008 12:20 PM
...and why not? He has a commodity that he earned and he's willing to sell it. Good on him.
SC Magazine - comments icon Posted by OzTeKAug 15, 2008 9:08 AM
Report this comment as offensive:

   * Indicates information we require to process your submission.

Name: *
Email: *
Reason for offense: *
Your report will not be displayed.  
Name:
*
 
Email:
(will not be displayed)
*
 
Comment:
(HTML not permitted)
*
 
Validation
*

Enter the code you see below:

 

 
 
 
 
 
Tripwire - Click here to win an iTouch
 
 
Vulnerabilities & Exploits Whitepapers
 
Popular Tags
adobe apple doles expect flash flaws four legit mac malware microsoft older packaged patch patches rise six software two updates