unSecurityResearch LLC

Researcher's reviews of 0-Day vulnerability buyers

Participate in the survey: http://unsecurityresearch.com/survey/public/survey.php?name=Vulnerability_Marketplace

UPDATE: Survey has been updated based on feedback from the community. If you have responded once, I invite you to respond again!

Please remember that by participating you are helping yourself and the entire community! This information can improve every researcher's results.

Some people have expressed concern about the accuracy of the results. The limited advertising of this survey ensures the accuracy of it. Basically, it would have been difficult to learn about the survey unless you were an active or published security researcher.

This survey will provide visibility into the murky marketplace of 0-day vulnerabilities. By participating in this survey you will assist other researchers and yourself. The results of this survey will allow researchers to make the best choices of where to sell their vulnerabilities. Additionally it will allow buyers of vulnerabilities to review how they perform and make adjustments. No personally identifying information will be posted about the participants. This survey may take several minutes; Please complete it the best you can.

2. Which vulnerability buyers have you sold to, and how many times have you sold to each? Average rank 1 2 3 4 5 6 7 8 9 10 iDefense (4.5) ZDI (3.9) iSight (1.0) SecuriTeam (3.0) Netragard (1.0) Wabisabilabi (1.0) Digital Armaments (0.0) Direct to buyer (4.4)

3. How many vulnerabilities have you sent to this buyer but did not receive an offer AND were able to sell it to a different buyer. (Do not count vulnerabilities no buyers would buy) Average rank 1 2 3 4 5 iDefense (2.8) ZDI (2.4) iSight (3.0) SecuriTeam (1.3) Netragard (2.0) Wabisabilabi (0.0) Digital Armaments (0.0) Direct to buyer (5.0)

4. In weeks, indicate buyers average time to offer. (Only respond for buyers you have received offers from) Average rank 1 2 3 4 5 6 7 8 9 10 iDefense (3.9) ZDI (5.8) iSight (1.0) Securiteam (1.7) Netragard (2.7) Wabisabilabi (0.0) Digital Armaments (0.0) Direct to buyer (1.2)

5. In weeks, indicate average time to payment for each buyer you have sold to. Average rank 1 2 3 4 5 6 7 8 9 10 iDefense (4.8) ZDI (4.6) iSight (2.0) SecuriTeam (2.8) Netragard (5.0) Wabisabilabi (0.0) Digital Armaments (0.0) Direct to buyer (2.2)

6. If you received an offer, accepted it but NEVER received payment select the buyer's name below. iDefense (0) ZDI (0) iSight (0) SecuriTeam (0) Netragard (0) Wabisabilabi (0) Digital Armaments (0) Direct to buyer 3.8% (1) 3.8% (1)

7. Rate buyers on trustworthiness with 5 being complete trust and 1 being no trust. Do you trust them with your vulnerability information? Even if you reject their offer? Please only rate buyers you have successfully sold to. Average rank 1 2 3 4 5 iDefense (3.0) ZDI (3.5) iSight (2.0) Securiteam (3.3) Netragard (2.2) Wabisabilabi (1.0) Digital Armaments (1.0) Direct to buyer (3.2)

8. Please rate a buyer's friendliness, with 5 being friendly and 1 being unfriendly. Do they openly communicate reasons behind decisions? Do they work with you or help? Please only rate buyers you have delt with. Average rank 1 2 3 4 5 iDefense (2.0) ZDI (3.4) iSight (4.0) SecuriTeam (4.3) Netragard (3.2) Wabisabilabi (0.0) Digital Armaments (0.0) Direct to buyer (3.4)

9. Rate each buyer you have attempted to sell to by your preference for them. 5 being prefer the most, 1 being prefer the least. Average rank 1 2 3 4 5 iDefense (2.5) ZDI (4.0) iSight (3.2) SecuriTeam (3.9) Netragard (2.2) Wabisabilabi (3.0) Digital Armaments (2.2) Direct to buyer (3.9)

10. For iDefense only, indicate what prices (USD) you have received for client side vulnerabilities. 0-1k 19.2% (5) 1-3k 15.4% (4) 3-5k 15.4% (4) 5-7k 3.8% (1) 7-9k 3.8% (1) 9-10k (0) 10-15k (0) 15-20k 3.8% (1) 20-25k (0) 25-30k (0) 30k+ 3.8% (1)

11. For ZDI only, indicate what prices (USD) you have received for client side vulnerabilities. 0-1k 11.5% (3) 1-3k 34.6% (9) 3-5k 26.9% (7) 5-7k 7.7% (2) 7-9k 3.8% (1) 9-10k (0) 10-15k (0) 15k-20k (0) 20k-25k 3.8% (1) 25k-30k (0) 30k+ 3.8% (1)

12. For iSight only, indicate what prices (USD) you have received for client side vulnerabilities. 0-1k 7.7% (2) 1-3k (0) 3-5k (0) 5-7k (0) 7-9k 3.8% (1) 9-10k (0) 10-15k (0) 15-20k (0) 20-25k (0) 25-30k (0) 30k+ (0)

13. For SecuriTeam only, indicate what prices (USD) you have received for client side vulnerabilities. 0-1k 23.1% (6) 1-3k 3.8% (1) 3-5k 3.8% (1) 5-7k 11.5% (3) 7-9k 3.8% (1) 9-10k (0) 10-15k 3.8% (1) 15-20k (0) 20-25k 3.8% (1) 25-30k 7.7% (2) 30k+ 3.8% (1)

14. For Netragard only, indicate what prices (USD) you have received for client side vulnerabilities. 0-1k 7.7% (2) 1-3k 3.8% (1) 3-5k (0) 5-7k (0) 7-9k (0) 9-10k (0) 10-15k (0) 15k-20k 3.8% (1) 20k-25k (0) 25k-30k (0) 30k+ 3.8% (1)

15. For Wabisabilabi only, indicate what prices (USD) you have received for client side vulnerabilities. 0-1k 7.7% (2) 1-3k (0) 3-5k (0) 5-7k (0) 7-9k (0) 9-10k (0) 10-15k (0) 15-20k (0) 20k-25k (0) 25k-30k (0) 30k+ (0)

16. For Digital Armaments only, indicate what prices (USD) you have received from client side vulnerabilities. 0-1k 7.7% (2) 1-3k (0) 3-5k (0) 5-7k (0) 7-9k (0) 9-10k (0) 10-15k (0) 15k-20k (0) 20--25k (0) 25k-30k (0) 30k+ (0)

17. For Direct Buyers only, indicate what prices (USD) you have received for client side vulnerabilities. (Direct Buyers include anyone not listed here that does not advertise a vulnerability buying program) 0-1k 3.8% (1) 1-3k (0) 3-5k (0) 5-7k 3.8% (1) 7-9k (0) 9-10k 7.7% (2) 10-15k (0) 15k-20k 3.8% (1) 20k-25k 3.8% (1) 25k-30k (0) 30k+ 3.8% (1)

18. For iDefense only, indicate what prices (USD) you have received for server vulnerabilities. 0-1k 15.4% (4) 1-3k 11.5% (3) 3-5k 3.8% (1) 5-7k 7.7% (2) 7-9k 3.8% (1) 9-10k (0) 10-15k 7.7% (2) 15-20k (0) 20-25k (0) 25k+ 3.8% (1)

19. For ZDI only, indicate what prices (USD) you have received for server vulnerabilities. 0-1k 3.8% (1) 1-3k 34.6% (9) 3-5k 26.9% (7) 5-7k 7.7% (2) 7-9k 3.8% (1) 9-10k 3.8% (1) 10-15k (0) 15k-20k 3.8% (1) 20k-25k (0) 25k+ (0)

20. For iSight only, indicate what prices (USD) you have received for server vulnerabilities. 0-1k 7.7% (2) 1-3k (0) 3-5k (0) 5-7k (0) 7-9k (0) 9-10k (0) 10-15k (0) 15k-20k (0) 20k-25k (0) 25k+ (0)

21. For SecuriTeam only, indicate what prices (USD) you have received for server vulnerabilities. 0-1k 15.4% (4) 1-3k 3.8% (1) 3-5k 3.8% (1) 5-7k (0) 7-9k (0) 9-10k 3.8% (1) 10-15k (0) 15k-20k 3.8% (1) 20k-25k 11.5% (3) 25k+ 7.7% (2)

22. For Netragard only, indicate what prices (USD) you have received for server vulnerabilities. 0-1k 7.7% (2) 1-3k (0) 3-5k 3.8% (1) 5-7k 3.8% (1) 7-9k 3.8% (1) 9-10k (0) 10-15k (0) 15k-20k (0) 20k-25k (0) 25k+ (0)

23. For Digital Armaments only, indicate what prices (USD) you have received for server vulnerabilities. 0-1k 7.7% (2) 1-3k (0) 3-5k (0) 5-7k (0) 7-9k (0) 9-10k (0) 10-15k (0) 15k-20k (0) 20k-25k (0) 25k+ (0)

24. For Direct to Buyer sales, indicate what prices (USD) you have received for server vulnerabilities. (Direct to buyer is any one who doesn't advertise a vulnerability purchase program) 0-1k 7.7% (2) 1-3k (0) 3-5k (0) 5-7k (0) 7-9k (0) 9-10k (0) 10-15k (0) 15k-20k (0) 20k-25k (0) 25k+ 7.7% (2)