[ISN] FrSIRT Puts Exploits up for Sale

InfoSec News isn at c4i.org
Thu Mar 16 05:03:20 EST 2006


By Ryan Naraine 
March 15, 2006 

Independent security research outfit FrSIRT.com is putting its
database of security exploits behind the paid curtain.

FrSIRT, previously known as K-Otik, has shut down the public exploits
section of its Web site and announced that all exploits and
proof-of-concept code will be sold through its subscription-based VNS
(Vulnerability Notification Service).

The 3-year-old company, which operates out of Montpellier, France, is
considered the go-to place for finding exploit code for known software
vulnerabilities and has been a thorn in the side of many vendors,
including Microsoft.

FrSIRT describes itself as the trusted center for the collection and
dissemination of information related to network threats,
vulnerabilities, exploits and incidents, but critics say the company's
open approach to releasing harmful exploit code borders on
"irresponsible disclosure."

The new FrSIRT VNS offers round-the-clock monitoring of new
vulnerabilities and threats, and promises real-time access to a
Web-based security alerting service.

The alerts are delivered through a Web portal, XML feeds and e-mail
subscriptions. Subscribers will also get an online vulnerability
scanner and scheduler with which to run security scans on a regular
basis to check for security vulnerabilities.

FrSIRT said pricing for the service will vary based on the number of
users that will be licensed to receive the alerts and access the
exploit code samples.

The new service is part of a growing trend among third-party
researchers to profit from code auditing work. Companies like iDefense
and Tipping Point have found a lucrative business in purchasing the
rights to information on vulnerabilities.

Dutch security firm Frame4 Security Systems is also getting into the
malware-for-sale market, launching a project called MD:Pro that offers
access to thousands of downloadable malware samples.

More information about the ISN mailing list