In case you thought that the mass exodus of researchers from TippingPoint’s Zero Day Initiative in recent months meant that the demand for third-party vulnerability markets was waning, fear not. Several former members of the ZDI team have come back together to form a new firm called Exodus Intelligence that will have its own vulnerability purchasing program, among other offerings.
The new team at Exodus includes Aaron Portnoy, the former head of the ZDI vulnerability program, and Brandon Edwards, another veteran of the ZDI team. The exact nature of the company’s new bug-buying program is still under wraps, but the Exodus site says that they also will have a security intelligence service that will provide customers with customized information on new vulnerabilities and threats.
“Exodus Intelligence provides actionable security information through a vulnerability intelligence data feed. This data feed consists of detailed analysis of zero-day vulnerabilities, their relative risk, proprietary vulnerability research, and recommendations for mitigation,” the company says.
“By leveraging the expertise and insight of a highly experienced research team, in conjunction with insight derived from an external vulnerability research acquisition program, the Exodus Intelligence feed delivers up-to-date, accurate, and relevant security information, enabling its customers to make informed decisions to strengthen their security posture.”
The concept of providing customers with private data feeds based on threat and vulnerability intelligence is one that’s gaining a lot of traction in the security world right now. In the age of targeted attacks and state-sponsored attacks, organizations are looking for any edge they can get in defending their networks. Up-to-date intelligence on live attacks and exploits can provide that edge.
The other part of Exodus’s business–the vulnerability purchasing program–is the bit that’s likely to draw most of the attention, though. Vulnerability sellers such as VUPEN and others have drawn criticism for finding bugs through internal research, keeping them private and only providing the details to paying customers. The main criticism with this model being that keeping the information private leaves the majority of organizations at risk from attacks against a given bug in the name of selling the information to a select few.
ZDI’s program uses a different model, buying vulnerability info from researchers and then privately disclosing it to the affected vendors, who then develop patches and eventually disclose the flaws publicly. Where Exodus Intelligence’s new program falls on that continuum remains to be seen.
This article was edited on June 19 to clarify VUPEN’s business model.