In early December, someone identified only by the eBay member name "fearwall" posted the spreadsheet vulnerability on the online auction service, which yanked the listing when the bidding reached $60.
Microsoft later confirmed the vulnerability in Excel and said it was investigating the problem, but wouldn't commit to patching it.
The researcher is now working with security company HexView, which plans to release a full analysis of the bug once Microsoft publishes a patch. The caveat: the analysis will include two 400-character text ads for products chosen by the two highest bidders in a private auction.
"Do not miss your chance to get noticed," HexView said in a statement posted to its Web site. "Our disclosure is expected to draw the attention of many people, including your prospective customers. The ad will be published as a 400-character paragraph within the disclosure called 'You may also find interesting.'" Bidding begins at $600, said HexView, and will be conducted via e-mail.
The proceeds will be split between "fearwall" and HexView, said Max Solonski, a principal consultant with the company, in an e-mail interview. "It is not 50/50, and 'fearwall' takes the greater chunk since it was his idea," said Solonski. "He also seems to be obsessed with open source donations and the vast amount of the collected funds may go that way."
Not even HexView is sure if the concept of advertising in a bug report is a viable way to turn vulnerability research into cash.
"While it seems logical to advertise products that address the vulnerability along with the description of the vulnerability, it may as well affect the image of the advertiser since vulnerability disclosures are commonly considered 'a bad thing,'" said Solonski.
The concept of paying for vulnerabilities, however, isn't new. Better known security companies such as iDefense (part of VeriSign) and TippingPoint (part of 3Com) pay "bounties" on bugs reported to their research teams, and crow when the program bears fruit.