Comment Not a bad idea at all (Score 1) 55
Seems like a nice easy way to make a bit of cash in your spare time without any particularly rare skills needed. Just find a vulnerability from CVE that doesn't have a corresponding Metasploit module, write a Metasploit module and put it up in Exploit Hub.
Since it's not a 0-day, there's nothing to be gained by getting an exclusive purchase so the prices will be reasonable. There's less risk of being sued too because it's not a 0-day; just a bit of code that you can use to test for an already disclosed vulnerability.
- The company who wrote the vulnerable software will want it to put into their QA cycle to guard against regressions.
- Anyone who writes penetration testing software will want it to integrate into their product... unless the price is higher than just having their own coders do it.
- Penetration testers will want it in their arsenal to make sure they get the maximum coverage possible.
The "bad guys" probably won't want it. It's already known and getting patched and they'll have to rewrite it anyway because it will have an easily identifiable signature as it comes from Exploit Hub.
There will still be a market for 0-day exploits, but as the article mentions, it's a finicky market. Setting up a market for turning disclosed vulnerabilities into Metasploit modules is smart.