UPDATE–In the weeks since the Hacking Team breach, the spotlight has shone squarely on the small and often shadowy companies that are in the business of buying and selling exploits and vulnerabilities. One such company, Netragard, this week decided to get out of that business after its dealings with Hacking Team were exposed. But now there’s a new entrant in the field, Zerodium, and there are some familiar names behind it.
The company was launched by Chaouki Bekrar, founder of VUPEN, a vulnerability and exploit broker that often is at the center of discussions about the legality and ethics of such businesses. VUPEN is one of the rare companies in that field that does all of its own research and development; it does not buy vulnerabilities or exploits from outside sources. But now, at a time when there has never been more attention from lawmakers, media, and governments, Bekrar has created a new venture that will wade fully into the purchase of bugs and exploits.
Zerodium plans to focus exclusively on buying high-risk vulnerabilities, leaving aside the lower end of the spectrum. The company will use the vulnerabilities it acquires to make up a feed of vulnerabilities, exploits, and defensive measures, that it provides to customers.
“ZERODIUM pays premium rewards to security researchers to acquire their zero-day discoveries and exploits affecting widely used operating systems, software, and/or devices. While the majority of existing bug bounty programs may accept almost any kind of vulnerabilities and PoCs but pay low rewards, at ZERODIUM we only focus on high-risk vulnerabilities with fully functional and reliable exploits, and we pay higher rewards,” the company’s site says.
Zerodium will be looking for vulnerabilities and exploits for the most commonly used platforms and applications, including Windows, OS X, and Linux; the four major browsers; Flash and Reader; Microsoft Office; Android, iOS, BlackBerry, and Windows Phone; and the major Web and mail servers. What the company is not interested in buying are partially working exploits or vulnerabilities in Web services such as Google or Twitter.
“ZERODIUM does not acquire theoretically exploitable or non-exploitable vulnerabilities. We only acquire zero-day vulnerabilities with a fully functional exploit whether including only one stage or multiple stages e.g. browser exploits with or without a sandbox bypass/escape are both eligible,” the company says.
The company says it will pay premium prices for the bugs and exploits it’s seeking and will not buy from researchers who live in countries that are sanctioned by the United Nations or United States. Zerodium does not specify what kind of companies or organizations it will sell its service to, but Bekrar always has said that VUPEN only sells its exploits to law enforcement agencies and government customers in non-sanctioned countries.
“We only sell to democracies. We respect international regulations, of course, and we only sell to trusted countries and trusted democracies,” Bekrar said in an interview with Threatpost in 2012. “We do not sell to oppressive countries.”
VUPEN runs a subscription service that supplies customers with vulnerability data and exploits for zero days and other bugs. The company’s customers have included the NSA.
The demand for high-end vulnerabilities and exploits is showing no signs of waning. Intelligence agencies, law enforcement organizations and many other government agencies in countries around the world are expanding their offensive security capabilities and a key ingredient in how these teams operate is the use of zero days. Exploits for undisclosed vulnerabilities often are used to compromise target systems as part of law enforcement investigations and intelligence operations, a controversial practice that has become even more so in the wake of the Hacking Team breach three weeks ago.
This story was updated on July 24 to correct that Zerodium was launched by Bekrar, not VUPEN