This is a personal blog. My other stuff: book | home page | Twitter | prepping | CNC robotics | electronics

April 28, 2010

Vulnerability trading markets and you

There is something interesting going on in the security industry: we are witnessing the rapid emergence of vulnerability trading markets. Perhaps hundreds of security researchers now routinely sell exploits to intermediaries for an easy profit (anywhere from $1,000 to $50,000), instead of the more usual practice of talking to the vendors or announcing their findings publicly. The buyers in turn resell the knowledge to unspecified end users, most likely at several times the original price tag. Some of the intermediaries may eventually release the information to the public; others withhold it indefinitely. The latter bunch is willing to pay you a lot more.

Curiously, both classes of intermediaries often ask for weaponized, multi-platform exploits, and not just a nice write-up on the nature of the glitch. Why? Some use cases in the IDS industry could be strenuously made, but I do not find them all that believable. More likely, at the end of the chain, you can find buyers with questionable intentions and a clear business reason to justify the significant expense, yet maintain anonymity. When asked about their clients, the intermediaries usually allude to unspecified government agencies - but even if this somewhat uncomfortable claim is true, the researcher does not get to choose which government he may be aiding with his work.

Many people find it difficult to sympathize with Jethro's legal troubles: he did not hesitate to take cash for an exploit that he had every reason to suspect would be used for illegal purposes. Are the proxy arrangement practiced in institutionalized exploit trade really that different? I'm not sure: can the sellers honestly claim they understand who wants these exploits, and why do these tools happen to be so unusually valuable? And if not, should they be selling them to the highest bidder, no questions asked?

Of course, there is an argument made by Charlie Miller and several other researchers that the vendors should not be entitled to free vulnerability research services from the security community. Maybe so - although it's worth noting that researchers profit from that bona fide work by gaining recognition and respect, and landing cool jobs later on; vendors gain much less from the extra public scrutiny, and some of them would probably prefer for this "free" arrangement to go away completely. But in any case, I do not think this argument genuinely supports the idea of selling the information to third parties with no regard of how it may be used: it may be legal, and it may be profitable, but it certainly does not feel right.


  1. You offer a compelling argument, one that I agree with. But you also offer no alternative. What, in your opinion, is the best route?

  2. To some extent, I think we simply should avoid hubris: if there seems to be no convincing, legitimate way to adequately monetize our skills, perhaps it's time to go back to the drawing board.

    While I can understand why some researchers are unhappy with vendors not willing to contract them, going to the vendor to ask them to "bid" on a piece of factually correct but potentially damaging information, or else face having it revealed to other parties, sounds awfully close to blackmail - and not a legitimate business proposal.

    In think in the end, when it comes to security, vendors spend as much as they think is justified, and only this much... and yup, in absence of external feedback or regulatory pressure, this may approach zero.

    Public scrutiny and PR pressure changes the equation, and in the long run, creates a legitimate market for security jobs and consulting services, and reinforces the credibility of key players. It's a slow process, but a time-tested one.

  3. I agree with your thesis of "selling ... information to the highest bidder with no regard of how it may be used ... certainly does not feel right." However you focus on only two types of purchasers: 1) purchasers that resell to unidentified parties and 2) purchasers that use the information for unidentified purposes. Anecdotally I do not think those are the two most common purchasers.

    > the researcher does not get to choose which government he may be aiding with his work

    What if the researcher sells directly to a particular government?

    > instead of talking to the vendors

    Programs such as ZDI avoid many of the moral issues that you discuss. They report the issue to the vendor. They also share information needed to make IDS/IPS signatures with other IDS/IPS vendors. Essentially the only thing ZDI purchases is the publicity associated with the vulnerability. All of this relies upon trusting ZDI.

  4. True, but even ZDI does not explicitly says who gets the information, and for what purposes; there is a note that to sign up for a partner program, you should be an IPS vendor, but that's it. From what I hear, they also value working exploits more.

    While I do not suspect malice (it might be that the PR benefits of running this particular program offset its costs), I also find it difficult to draw a clear line before this and other forms of vulnerability trading.

    Re: selling directly to a particular government - depends on your personal views, pretty much. But it's a clear-cut situation then.

  5. From my blog on 12 Feb (

    There are many kinds of security researchers: white hat, grey hat and black hat. They decide which kind of purchasers they want to deal with and what kind of researchers they want to be. White hat researchers find bugs in enterprise-level software, help the Internet community become a little safer and get paid for their efforts. Grey hat and black hat researchers, in some cases, give their research up to nefarious organizations whose purpose they may not fully understand. They might get paid handsomely for their efforts but they are definitely not making the Internet safer. Unfortunately, vendors do not fix those kinds of vulnerabilities until the damage is done. The bad guys who leverage that research may use it to commit cyber crimes, to conduct cyber espionage or to execute some other nefarious purpose. The security community does not get to fix that vulnerability until somebody discovers it and there is no guarantee that we will discover it either.

    I fundamentally disagree with the notion that since the black hats and the grey hats can possibly make more money selling vulnerabilities, then the white hats have no role to play. Clearly that is not true. The iDefense VCP program is alive and well. It produced more than 50 vulnerabilities last year; at least 30 of which were high-impact Microsoft vulnerabilities. Other white hat operations had similar successes.

  6. I just came across this post/comments while reading "Not the disclosure debate again?". Both are good reads.

    For what it's worth... As the founder of the ZDI I am personally stating that there is no malice or underhanded intent. Allow me to clarify some points.

    The ZDI partner program is open to any "legitimate" security vendor selling a defensive product whose signatures|filters|whatever are not open. A more detailed advisory than what is publicly released is provided to partners on the same day as public disclosure. As there is no charge for the information, I originally expected a heavy response. Yet after 5 years of running there are only a few partners.

    It's always been a goal to proactively reach out to more competitors and essentially sell them on taking our free (as in beer) information. I'm unsure as to why there hasn't been more interest. With a beefed up partner list we would then dedicate a section of the Zero Day Initiative website to listing the various partners and how they benefit from the information. The lack of transparency in this case is due to lack of an interesting story. Another area we've toyed around with is the creation of opt-in public researcher profiles. Similar to a LinkedIn bio page perhaps with information on who they are, what they've discovered and links to personal pages.

    With regards to working exploits. The only increase in valuation is solely in regard for the extra time put in by the researcher. Most cases coming through the ZDI do not include even a rudimentary PoC, many provide little more than a crash report. A few guys take great pride in their work and produce elegant exploits consistently, as you state: "Like all hobbyists, they are proud of their work...". Along side our kudos we've always done our best to get those guys as many perks as we can.