Exploit Sales: The New Disclosure Debate

Vulnerability disclosure discussions were the favorite parlor game of the security community for a long time, but slowly and surely, debates over exploit sales are nudging disclosure off its pedestal.

The security community is one that thrives on controversy, drama and debate. For years–decades, really–no topic satisfied this desire like vulnerability disclosure. Long after every possible argument had been forwarded and the horse was not just dead but buried and the grave covered by a strip mall, the debate has limped along, like Happy Days post-shark jump. Now comes the flood of bilious opinions regarding the commercial exploit market, a discussion that feels even more pointless than the disclosure debate because there’s absolutely nothing to debate.

In the beginning, the disclosure debate was just that, a debate. People with well-formed opinions based on their experiences with finding and publishing vulnerabilities, or, on the other end of the equation, dealing with those reports and fixing the bugs. Most researchers argued that they had the right to do what they wanted with the vulnerabilities they found. For a long time, researchers generally kept details private and dealt with the vendors in the background, only publishing the details when a fix was ready. There were exceptions, researchers who simply published what they found whenever they felt like it, either never notifying the vendor or doing so a day or two before they posted their advisories.

That dynamic changed gradually as some researchers began using the possibility of full disclosure as a hammer to pressure vendors into responding to advisories more quickly and dealing with researchers in a professional manner. Some vendors got with the program, others didn’t. Some researchers chose to work with vendors within a loosely defined set of guidelines, others didn’t. And so it’s gone for the last decade or so.

There are reasonable arguments to be made on both sides of the disclosure debate, and there are smart, thoughtful people articulating a variety of positions. But there’s also a huge amount of invective, finger pointing and name-calling involved, all of which may be fun to watch, but it’s not very productive.

There are a lot of echoes of the disclosure debate in the current discussions about exploit sales. The commercial exploit market has developed relatively quickly, at least the public portion of it. Researchers have been selling vulnerabilities to a variety of buyers–government agencies, contractors, other researchers and third-party brokers–for years. But it was done mostly under cover of darkness. Now, although the transactions themselves are still private, the fact that they’re happening, and who’s buying (and in some cases, selling) is out in the open. As with the disclosure debate, there are intelligent people lining up on both sides of the aisle and the discussion is generating an unprecedented level of malice.

One difference this time around is that there are large piles of currency involved, not to mention the privacy, security–and in some cases, physical security–of people in countries around the world. Governments are buying exploits and using them for a variety of purposes. Some are using them to spy on their own citizens, while others are using them to attack their enemies’ networks. And government contractors and other private buyers are purchasing them for their own uses, as well.

Debating the morality or legality of selling exploits at this point is useless. This is a lucrative business for the sellers, who range from individual researchers to brokers to private companies. There are millions of dollars involved, and with that much money at stake, this business is not going away. And it is a business, make no mistake. Some sellers, such as VUPEN, say that they only sell exploits to NATO governments and will never sell to oppressive regimes. Chaouki Bekrar, the VUPEN CEO, has told me this many times, and I’ve heard him say the same thing to any number of other people in the last few years. I am inclined to believe him. But that’s almost beside the point. The issue is that once the exploit is sold, there’s no way to know how it will be used or who it may be shared with. A government buyer could act as a front for a third party that wouldn’t be able to buy the exploit on its own. And VUPEN is just one company. There are countless others that don’t have such explicit rules.

Moxie Marlinspike

Moxie Marlinspike

If you need a possible example, look no further than the odd situation that Moxie Marlinspike found himself in recently. Contacted by agents of the Saudi Arabian telecom company Mobily for help with technology to enable interception of traffic from Twitter, Viber and other apps, Marlinspike looked at a design document the group volunteered. He saw that they were contemplating buying SSL exploits as a way to solve their traffic-intercept problems. Marlinspike declined to help with the project, but said that he assumes Mobily will find a way around the issue.

“Their level of sophistication didn’t strike me as particularly impressive, and their existing design document was pretty confused in a number of places, but Mobily is a company with over 5 billion in revenue, so I’m sure that they’ll eventually figure something out,” Marlinspike, a security researcher and former Twitter security official, wrote.

“What’s depressing is that I could have easily helped them intercept basically all of the traffic they were interested in (except for Twitter – I helped write that TLS code, and I think we did it well). They later told me they’d already gotten a WhatsApp interception prototype working, and were surprised by how easy it was. The bar for most of these apps is pretty low.”

That kind of national-scale surveillance is just one application for exploits, commercial or otherwise. As Marlinspike said, even without his considerable knowledge and talent, it’s likely that Mobily had already found its own method for intercepting WhatsApp traffic. Governments, telecoms and other well-funded groups will find a way, whether it’s through their own research, the purchase of commercial exploits or some other method.

The debate shouldn’t be about whether exploits should be sold–they are, and nothing short of an outright legal ban is likely to change that. A commercial market has emerged for this information and markets with willing buyers and sellers don’t simply disappear. They typically expand until either the supply or the demand reaches a limit. There’s no shortage of demand for exploits right now, and the supply will continue to flow as long as the money is there.

Welcome to the era of surveillance.

Suggested articles