Wednesday, September 19, 2012

The market for "zero day" software vulnerabilities

What can you do if you discover a brand new, never exploited ("zero day") vulnerability in a ubiquitous piece of software? Forbes is on the case: Shopping For Zero-Days: A Price List For Hackers' Secret Software Exploits

"A clever hacker today has to make tough choices. Find a previously unknown method for dismantling the defenses of a device like an iPhone or iPad, for instance, and you can report it to Apple and present it at a security conference to win fame and lucrative consulting gigs. Share it with HP’s Zero Day Initiative instead and earn as much as $10,000 for helping the firm shore up its security gear. Both options also allow Apple to fix its bugs and make the hundreds of millions of iPhone and iPad users more secure.

"But any hacker who happens to know one Bangkok-based security researcher who goes by the handle “the Grugq”–or someone like him–has a third option: arrange a deal through the pseudonymous exploit broker to hand the exploit information over to a government agency, don’t ask too many questions, and get paid a quarter of a million dollars–minus the Grugq’s 15% commission."
"The Grugq is hardly alone in his industry. Small firms like Vupen, Endgame and Netragard buy and sell exploits, as do major defense contractors like Northrop Grumman and Raytheon.

"Netragard’s founder Adriel Desautels says he’s been in the exploit-selling game for a decade, and describes how the market has “exploded” in just the last year.  He says there are now “more buyers, deeper pockets,” that the time for a purchase has accelerated from months to weeks, and he’s being approached by sellers with around 12 to 14 zero-day exploits every month compared to just four to six a few years ago."

And here's a related article about a French firm, Vupen (which describes itself as follows: "As the leading source of advanced vulnerability research, VUPEN provides government-grade exploits specifically designed for the Intelligence community and national security agencies to help them achieve their offensive cyber security and lawful intercept missions using extremely sophisticated codes created in-house by VUPEN.).")

HT: Duncan Gilchrist

No comments: