Friday, March 8, 2013

The dark side of Vulnerability Research and Sale

[edit: Altered the title & reworded "Exploit Research" to "Vulnerability Research" to align with common use of the words]

Imagine this:
  1. You have two neighbors, both are highly skilled in surveillance & breaking in. 
  2. Both of them thoroughly scan of your home (from far, of course) voluntarily. 
  3. They finds a few flaws that you wouldn't know -- but would allow a thief to bankrupt you. 
  4. One of them wants to sell this information and make money that befits his expertise. To you, to your builder, or to the government. (interesting question: what happens when none of the three agree to buy?)
  5. The other never mentioned any of this to you, but directly put up the "exploit" for sale to the highest bidder in an "open market" meant for highly specialized buyers (of the type that you aren't).
Is there anything wrong with this scenario? You bet there is.

This is what is building up in the InfoSec world under the garb of Vulnerability Research. I am sure we all understand the logic of "we need to make a living", "we have a right to market our skills" and even "we have a right to get rich".

That "We tried until 2010 to convince vendors to decently pay researchers without success" almost sounds noble.

But to say "L is for Liberties, and exploit sale is a liberty" as VUPEN (@VUPEN) CEO Chaouki Bekrar (@cbekrar) shamelessly tweeted is a bit too much for me.

Where is this going?

Vulnerability Research (as in the scenario above) is turning into a thriving market. Though some players are spouting KYC and self-regulation to support their activities,
"... ask your favorite vendor to pay researchers $100K per 0D ..." and
"... I confirm we don't sell to repressive regimes ..."
it rings hollow.

Of course, other players are simply discrete about what they do -- and don't promise any such restraint. That is surely no less of an issue.

Statements like
"... You are not a judge, and we are not in a court ..." and
"... we really don't care nor give a shit about your thoughts on exploit sales ...
just about sum up the attitude and any shatter any pretense of ethics. It appears that "there is no law against it, so we'll do what we please as long as we can get away with it" is lurking right underneath this "business model". At this rate, sooner than later, we could see specialized "Vulnerability Research" markets come up in the fields of ATMs, Credit Card terminals, and more. They would of course, begin by selling the exploits "at a decent price", "only to non-repressive governments" and with "thorough Know-Your-Customer norms".

We are witnessing the birth a thriving market of Vulnerability Research where anyone more skilled than you are is free to poke around and blackmail you.

As the market expands, people have more incentives to turn into Vulnerability Researchers (not to be befuddled by the more innocuous term "Security Research") -- and there is little or no reason to exercise any restraint.

I'm sure it has occurred to many that:
  • there is no reason to cap the price at $100K per 0D
  • there is no reason (yet) to commit to self-regulate

I don't think we can afford to look the other way or merely smile and indulgently admire the admittedly considerable skills of these open market "Vulnerability Researchers".

In all this, let us also not forget that Governments are paying our (taxpayer) money to actively grow this market. Oh yes, I forget. The Governments are only doing this to protect us. Strangely, I don't feel particularly safe on this account.


  1. This is a very well thought view and force people start thinking about the important issue

  2. It reminds me of a gang which operates on Lucknow-Delhi trains. Some are observers. They spot passengers with money-bags. They pass on the info to expert thieves for a 'price'. The thief would try his best until the train reaches his "territory". Then while getting down, he would sell the info to the new thief gets in at the Station. Nothing wrong to notice vulnerabilities. The target-passenger would be too happy to buy info on his own vulnerabilities, if at all someone is selling that. The offer to sell itself would land the seller into troubles and no sale done.

    Thought provoking for this methodical madness of IT world.

  3. It is quiet a candid article and one with foresight. The solution is there but do we have guts and passion to go beyond the greed to do this. All eGovernance projects are ,sadly, built around product offerings/solutions from top vendors and with the mind set PPP models/projects take a beating. With so many vendors providing IT solutions to businesses, "security" is distributed over heterogeneous team who don't have a single view into organizational assets. Moreover, single-point-authority is distributed and therefore no ownership. From my perspective, at a state level, have a centralized CoE in Security with responsibility entrusted to a single position (DMRC eg) for all MMP. We NEED to recognize, understand and question "What would I lose (data information) if I got breached?".
    Set up a R&D team that would work within this SOC eating-breathing-sleeping research on vulnerabilities. R&D has never been our forte and that is why private organizations ransom. All this in no means is an easy task in today's scenario, and will never happen unless WE OWN information (data) and its associated results.