What can you do if you discover a brand new, never exploited ("zero day") vulnerability in a ubiquitous piece of software? Forbes is on the case: Shopping For Zero-Days: A Price List For Hackers' Secret Software Exploits
"A clever hacker today has to make tough choices. Find a previously unknown
method for dismantling the defenses of a device like an iPhone or iPad, for
instance, and you can report it to Apple and present it at a security conference
to win fame and lucrative consulting gigs. Share it with HP’s Zero Day
Initiative instead and earn as much as $10,000 for helping the firm shore up its
security gear. Both options also allow Apple to fix its bugs and make the
hundreds of millions of iPhone and iPad users more secure.
"But any hacker who happens to know one Bangkok-based security researcher who
goes by the handle “the Grugq”–or someone like him–has a third option: arrange a
deal through the pseudonymous exploit broker to hand the exploit information
over to a government agency, don’t ask too many questions, and get paid a
quarter of a million dollars–minus the Grugq’s 15% commission."
...
"The Grugq is hardly alone in his industry. Small firms like Vupen, Endgame
and Netragard buy and sell exploits, as do major defense contractors like
Northrop Grumman and Raytheon.
"Netragard’s founder Adriel Desautels says he’s been in the exploit-selling
game for a decade, and describes how the market has “exploded” in just the last
year. He says there are now “more buyers, deeper pockets,” that the time for a
purchase has accelerated from months to weeks, and he’s being approached by
sellers with around 12 to 14 zero-day exploits every month compared to just four
to six a few years ago."
***********
And here's a related article about a French firm, Vupen (which describes itself as follows: "As the leading source of
advanced vulnerability research, VUPEN provides government-grade exploits
specifically designed for the Intelligence community and national security
agencies to help them achieve their offensive cyber security and lawful
intercept missions using extremely sophisticated codes created in-house by
VUPEN.).")
HT: Duncan Gilchrist
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.