April 28, 2010
There is something interesting going on in the security industry: we are witnessing the rapid emergence of vulnerability trading markets. Perhaps hundreds of security researchers now routinely sell exploits to intermediaries for an easy profit (anywhere from $1,000 to $50,000), instead of the more usual practice of talking to the vendors or announcing their findings publicly. The buyers in turn resell the knowledge to unspecified end users, most likely at several times the original price tag. Some of the intermediaries may eventually release the information to the public; others withhold it indefinitely. The latter bunch is willing to pay you a lot more. Curiously, both classes of intermediaries often ask for weaponized, multi-platform exploits, and not just a nice write-up on the nature of the glitch. Why? Some use cases in the IDS industry could be strenuously made, but I do not find them all that believable. More likely, at the end of the chain, you can find buyers with questionable intentions and a clear business reason to justify the significant expense, yet maintain anonymity. When asked about their clients, the intermediaries usually allude to unspecified government agencies - but even if this somewhat uncomfortable claim is true, the researcher does not get to choose which government he may be aiding with his work. Many people find it difficult to sympathize with Jethro's legal troubles: he did not hesitate to take cash for an exploit that he had every reason to suspect would be used for illegal purposes. Are the proxy arrangement practiced in institutionalized exploit trade really that different? I'm not sure: can the sellers honestly claim they understand who wants these exploits, and why do these tools happen to be so unusually valuable? And if not, should they be selling them to the highest bidder, no questions asked? Of course, there is an argument made by Charlie Miller and several other researchers that the vendors should not be entitled to free vulnerability research services from the security community. Maybe so - although it's worth noting that researchers profit from that bona fide work by gaining recognition and respect, and landing cool jobs later on; vendors gain much less from the extra public scrutiny, and some of them would probably prefer for this "free" arrangement to go away completely. But in any case, I do not think this argument genuinely supports the idea of selling the information to third parties with no regard of how it may be used: it may be legal, and it may be profitable, but it certainly does not feel right.