Independent security research outfit FrSIRT.com is putting its database of security exploits behind the paid curtain.
FrSIRT, previously known as K-Otik, has shut down the public exploits section of its Web site and announced that all exploits and proof-of-concept code will be sold through its subscription-based VNS (Vulnerability Notification Service).
The 3-year-old company, which operates out of Montpellier, France, is considered the go-to place for finding exploit code for known software vulnerabilities and has been a thorn in the side of many vendors, including Microsoft.
FrSIRT describes itself as the trusted center for the collection and dissemination of information related to network threats, vulnerabilities, exploits and incidents, but critics say the companys open approach to releasing harmful exploit code borders on “irresponsible disclosure.”
The new FrSIRT VNS offers round-the-clock monitoring of new vulnerabilities and threats, and promises real-time access to a Web-based security alerting service.
The alerts are delivered through a Web portal, XML feeds and e-mail subscriptions. Subscribers will also get an online vulnerability scanner and scheduler with which to run security scans on a regular basis to check for security vulnerabilities.
FrSIRT said pricing for the service will vary based on the number of users that will be licensed to receive the alerts and access the exploit code samples.
The new service is part of a growing trend among third-party researchers to profit from code auditing work. Companies like iDefense and Tipping Point have found a lucrative business in purchasing the rights to information on vulnerabilities.
Dutch security firm Frame4 Security Systems is also getting into the malware-for-sale market, launching a project called MD:Pro that offers access to thousands of downloadable malware samples.