Both iDefense and TippingPoint are now operating commercial vulnerability-purchase programmes. iDefense's Vulnerability Contributor Program has been running for some time; TippingPoint's Zero Day Initiative launched in late July. The cumulative effect is a meaningful structural shift in vulnerability disclosure economics.
This post is a longer treatment because the structural change matters more than the specific programmes.
What is being paid
Both programmes pay researchers cash for vulnerabilities they discover, on agreed terms.
iDefense VCP. Researcher submits a vulnerability privately. iDefense validates the vulnerability, agrees a payment, and integrates the vulnerability information into their commercial intelligence services. iDefense then notifies the affected vendor and coordinates disclosure on a defined timeline.
TippingPoint ZDI. Researcher submits a vulnerability privately. TippingPoint validates, agrees a payment, and develops protection signatures for their intrusion-prevention products. TippingPoint then notifies the affected vendor and coordinates disclosure on a defined timeline.
The two programmes operate similarly. The key differences are in how the purchased vulnerability information is monetised — iDefense through intelligence services, TippingPoint through IPS protection.
The payment ranges are non-trivial. Specific reports describe payments from a few hundred dollars to several thousand dollars per vulnerability, depending on severity and target. The payments are not life-changing; they are sufficient to be operationally meaningful for individual researchers.
What this changes structurally
Three observations.
Researcher economics shift. Previously, a researcher who discovered a vulnerability had three options: publish (with reputational benefit but no direct compensation), disclose privately to the vendor (with no compensation), or sell to underground markets (with compensation but ethical and legal exposure). The bounty programmes add a fourth option: sell to legitimate intermediaries with compensation and clear terms.
The fourth option is structurally important. Researchers who would have published or quietly disclosed privately can now monetise their work through legitimate channels.
Coordinated disclosure becomes more reliable. The bounty programmes commit to specific disclosure timelines and specific vendor coordination. The cumulative effect should be more orderly disclosure than the ad-hoc patterns of previous years.
The economic competition with underground markets is now real. Previously, only underground markets paid researchers. The legitimate alternatives create direct economic competition. Specific researchers who would have considered underground markets now have legitimate options at competitive (if lower) compensation.
Why the structural shift matters
The cumulative effect on disclosure quality should be positive. Three specific reasons.
More vulnerabilities surface earlier. Researchers who would not have published find legitimate channels to disclose. The cumulative volume of properly-disclosed vulnerabilities increases.
Disclosure coordination improves. The intermediaries handle vendor coordination, timeline negotiation, public-disclosure preparation. The cumulative quality of disclosure events should improve as the intermediaries develop expertise.
Competition with underground markets reduces underground supply. Some fraction of researchers who would have sold to underground markets will sell to legitimate intermediaries instead. The reduced underground supply may slow the development of underground exploitation.
The cumulative trajectory is positive but bounded. The bounty programmes do not solve disclosure problems; they shift the economics in helpful directions.
What this does not solve
Four limitations worth being explicit about.
The most valuable vulnerabilities still go to underground markets. The bounty programmes pay legitimate-market rates; underground markets pay nation-state rates. For specific high-value vulnerabilities (zero-days against widely-deployed infrastructure, kernel-level vulnerabilities, mobile-platform vulnerabilities), the underground markets continue to dominate.
Vendor cooperation remains uneven. The intermediaries still need vendor cooperation for patches. Vendors who are unresponsive or hostile (the Cisco-Lynn pattern) limit the intermediaries' ability to coordinate disclosure effectively.
The supply of researchers is not unlimited. The bounty programmes attract some new researchers; they also redirect existing researchers from other activities. The cumulative effect on disclosure volume is bounded by the underlying researcher population.
Specific vulnerability classes remain harder to monetise. Vulnerabilities in less-deployed infrastructure or in specific niche products may not have sufficient commercial value to support bounty payments. The intermediaries focus on widely-deployed targets; the niche vulnerabilities continue to be undermonetised.
What this teaches operators
For organisations whose products are likely to be subjects of bounty-programme research:
The disclosure pipeline is now more professional. Researcher-discovered vulnerabilities will increasingly arrive through intermediaries with formal disclosure procedures. Vendors with mature vulnerability-response infrastructure benefit; vendors without are exposed to less-coordinated disclosure.
The timeline pressure is real. The intermediaries commit to public disclosure on specific timelines (typically 60-90 days from initial vendor notification). Vendors who cannot ship patches within those timelines face uncoordinated disclosure of their vulnerabilities.
The investment in vulnerability response is structurally rational. Vendors who can respond quickly to bounty-programme submissions produce better outcomes than vendors who cannot. The investment in response infrastructure is bounded; the cumulative benefit is real.
For organisations using vulnerable products:
Monitor for bounty-programme disclosures. Both iDefense and TippingPoint publish disclosure information. Specific advisories may affect your infrastructure; the monitoring discipline is part of standard vulnerability management.
Use intermediary protection where available. TippingPoint's IPS signatures cover specific bounty-purchased vulnerabilities; specific operators benefit from the protection.
What I am paying attention to
Three things over the next 12 months.
Specific further bounty programmes launching. 80% probability. Other commercial security firms have similar opportunities; the model is replicable.
Specific evolution of the underground markets in response. 70% probability of meaningful evolution. Underground markets will adjust pricing or add features in response to legitimate competition.
Specific vendor-cooperation improvements. 50% probability of meaningful improvement. The cumulative pressure on vendors to engage with intermediaries should produce some response.
What this means for my own thinking
I do not produce vulnerability research; the bounty programmes are not directly relevant to my own work. The structural shift is informative about the broader disclosure economics; specific subsequent posts will refer back to this trajectory.
For researchers who do produce vulnerability research: the bounty programmes are worth considering. The compensation is non-trivial; the coordination support is meaningful; the legitimacy is real.
For the broader field: the cumulative trajectory is positive. Disclosure economics matter; the bounty programmes shift the economics in useful directions.
More as the disclosure trajectory develops.