I sent a local OpenBSD / FreeBSD kernel bug to ZDI, and they replied back saying they were only interested in remote vulnerabilities, and for the most part of that only bought pre-authentication bugs.
Well, I found a reasonably significant heap overflow in some moderately popular opensource Unix software, which is aimed primarily for the server and partly the desktop market. It’s not internet critical infrastructure or anything like OpenSSH or Apache, but it’s a reasonable bug none the less. I suspect it could lead to arbitary code execution, though I haven’t attempted to write an exploit for proof of that.
I sent the analysis and sample Denial of Service exploit to IDefense, last Friday (the 23rd). I got a mail back today saying it has been assigned to a researcher for determination (if the bug is valid and if IDefense will offer to purchase the vulnerability).
I hope I made the right decision to send to IDefense and not ZDI. Does anyone have comments or ballpark figures of how much money each one pays?