Pwn2OwnVANCOUVER–Say what you will about Chaouki Bekrar, but the man is nothing if not frank. Bekrar, who is the public face of the VUPEN team that has been toying with the Pwn2Own contest this week, has become a lightning rod in the debate over exploit sales, and from all outward appearances, he couldn’t be happier about it.

Opinions on Bekrar and VUPEN’s business model are as plentiful at the CanSecWest conference here as poutine or hackers with pierced lips. Everyone seems to have their own thoughts on whether the company should be in the business of selling vulnerabilities to governments and other unnamed organizations, but to Bekrar all of that is just noise. The only thing he’s interested in is doing challenging work and keeping his customers happy.

“We are here because this is a challenge for our team. It’s fun,” Bekrar said Thursday just after his team had used a pair of bugs to compromise Internet Explorer 9 on the second day of Pwn2Own.

One of those vulnerabilities will be handed over to TippingPoint’s Zero Day Initiative if VUPEN wins the contest. But the other one, a memory corruption flaw in IE’s protected mode sandbox, VUPEN will keep for itself and its customers. It can be reused in combination with other bugs in IE for future sales. This is one of the things that bothers other researchers and some vendors about the way that VUPEN does business.

Doesn’t selling bugs to one customer leave everyone else exposed to their use? It’s not a question that Bekrar contemplates much. For him, bugs are a valuable commodity and if his company can command high prices for them, then he’s not interested in giving them away for free.

The unasked question in all of this is who exactly is buying those bugs from VUPEN. The answer, Bekrar says, is quite simple.

“We only sell to democracies. We respect international regulations, of course, and we only sell to trusted countries and trusted democracies,” he said. “We do not sell to oppressive countries.”

Bekrar considers his company to be a creation of the current environment in the security community and the state of regulations surrounding information security. The company is an outgrowth of the former FR-SIRT, Bekrar said, and in its former incarnation the group published advisories with full vulnerability details. But a change in French law a couple of years ago essentially outlawed that practice, Bekrar said, and so they were forced to stop issuing full disclosure advisories about their research.

Casting about for something to do with the team, Bekrar and his colleagues hit upon the idea of using their talents to make money through private bug sales. Such sales have been going on for a long time, but it wasn’t until fairly recently that they’d been done in an organized, relatively open fashion. For Bekrar, it was a no-brainer.

“We were forced to change. Before, we used to give full disclosure to the government and others and then the law changed and now we sell them,” Bekrar said.

In the shadowy world of bug and exploit sales, Bekrar is an oddity: someone willing to discuss his company’s activities openly. Most of the other companies and individuals who engage in these sales do so quietly and are quite hesitant to talk about any aspect of it, whether it be prices, customers or even whether they’re selling bugs. But Bekrar is unabashed about what he’s doing and therefore has no qualms about any of it. It’s just business, after all.

“Have you ever met someone as transparent as me in this?” he asked. “No. No one else is like this.”

This article was edited on March 10 to correct the spelling of FR-SIRT.

Categories: Vulnerabilities