A peek in the world of vulnerability sellers
As you probably already know, this year’s edition of Pwn2Own wasn’t the only hacking contest at the CanSecWest conference held earlier this month.
Pwn2Own rules have been changed and, not satisfied with the amount of vulnerability details the contestants have to share with the organizers, Google decided to launch its own contest dubbed “Pwnium”.
As it turns out, Google’s Chrome browser has been “pwned” three times this year, and while two of the contestants did it while participating in Pwnium, a team from French vulnerability research and pentesting firm Vupen chose to compete within Pwn2Own.
According to Forbes, the reason is simple enough: they didn’t want to share the knowledge with Google, as the $60,000 prize for a full working exploit for the Chrome sandbox is nothing compared to the sum they can ask for it from their own clients.
“We wouldn’t share this with Google for even $1 million,” says Chaouki Bekrar, Vupen CEO and lead hackers. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”
Vupen is not the only firm that earns its money by selling information about software vulnerabilities to the highest bidder, but is definitely the most prominent one. Its customers are government agencies that are interested in exploiting the vulnerabilities to spy on criminals and intelligence targets, probably also people that those governments see as a threat to them.
Bekrar claims that its customers – who all have to pay a $100,000 annual fee to get just the possibility to bid for buying vulnerability information for a price that sometimes reaches six-figure amounts – have all been checked out and are all NATO governments and “partners”.
Also, the company does not sell its exploit techniques to just one government, thus earning huge sums multiple times for each vulnerability and squashing accusations of favoritism in the process.
Bekrar says that the company has ways of filtering out nondemocratic governments and makes all its customers sign agreements that should prevent them from selling or disclosing the information they have bought, but admits that the system can not guarantee that the agreements will not be broken.
And it is precisely that which bothers its critics. “Vupen doesn’t know how their exploits are used, and they probably don’t want to know. As long as the check clears,” comments privacy activist Chris Soghoian, who considers Vupen a “modern-day merchant of death.”
As mentioned before, the company is not the only one following this business model, but it’s the one that gets more attention than others due to its CEO’s flair for publicity. When Vupen was first established and started working, it cooperated with some software vendors and practiced a so-called responsible disclosure policy, giving away the details of the vulnerabilities to them for free.
In 2010, Bekrar decided that they would stop doing that and that it was the software companies’ responsibility of writing secure code, so he instituted the business model the company still follows today.
Bekrar doesn’t want to share details about the sums the company earns, but says it is profitable. “The Grugq,” a Bangkok-based security researcher that brokers deals between hackers with specific vulnerability knowledge and his own government contacts, commends Bekrar’s business acumen.
Even though he makes huge sums of money by simply setting up the deals, he says that Bekrar has the better idea. “He holds all the cards. He can tell his clients to buy at the price he’s Ã‚Âoffering, or someone else will,” he commented.