Vulnerabilities that have some value in relation to exploitation in the wild are purchased by the Zero Day Initiative which hosts the pwn2own contest.
ZDI further researches the vulnerabilities for products (http://h17007.www1.hp.com/us/en/products/network-security/index.aspx) and services that they sell then reports the vulns to the vendors for patching.
I guess researchers want to cut out the middle man and sell the vulns to the vendors directly.
Yeah, third parties such as ZDI and other above board institutions and organizations weren't the kind of third party to which I was referring when I was rebutting the asinine and completely ignorant extortion charges.
"Supposedly, the hacker going after Android had a working exploit but thought that it did not qualify for the rules of pwn2own so reported the vuln to Google and the vuln was subsequently patched. Seems kind of bogus given that Android devices using non-default UI, such as the Sense UI, are still running older versions of Android."
Ok so no one attacks Chrome, no one attacks Android, a guy suddenly thought that he does not qualify for the rules and gives everything to Google, what a hell?
Have you bothered looking up what actually happened or do you prefer to imply conspiracy and malfeasance because you don't like the results.
http://www.computerworld.com/s/article/9213763/Researcher_blows_15K_by_reporting_bug_to_Google
This was pretty widespread news yesterday.
"Researchers Exploit Safari Security Hole in Five Seconds at PWN2OWN"
You basically know that this statement is totally wrong and that you hope (and actually succeeded) to attract a flame war in your forum for the sake of increasing the number of page hits on your site.
Yes, the headline is sensationalistic but it is not inaccurate. It delivers the single most relevant point to the end user. The exploit takes five seconds to work. The time in developing the exploited is irrelevant to the exploitee. I don't understand why this is so difficult for people to understand.
Does it matter if it took years for a car thief to develop the skills that let him break in to a car in fifteen seconds? What about the burglar? Bank robber? Does it matter how long it took for someone to develop a rifle?
The time to develop any executable skill doesn't matter at the point of execution. Why do you people keep coming back to the "well, it took weeks." Of course it took weeks. What do you think this is, a movie?
Again it took three men (PAID to do that, this is very important to remember that) and two weeks to implement an exploit.
Chrome was not attacked, no one is showing up. But I really don't think that it is because no one can take it down. The exploit of IE 8 shows that it is possible to escape from the sandbox, there is always someone who can because they are PAID to find flaws in software. I just think that some money is flying around so that no one is actually showing for Chrome.
This is pathetic. Do you have ANY proof to back up your supposition for your conspiracy theory about Chrome? Any whatsoever? One shred? One iota? Anything?
And people give Microsoft a hard time for spreading FUD.
And Charlie Miller did it three years in a row basically working in his spare time so what's your point with this PAID nonsense?