Netragard, one of the small number of companies that buys and sells exploits, has shut down its exploit acquisition program in the wake of the HackingTeam breach.
Among the revelations in the cache of documents leaked after the attack on HackingTeam was information about Netragard selling an exploit to the Italian maker of intrusion and surveillance software. The HackingTeam documents also showed that the company sold its products to a variety of customers associated with oppressive regimes, including Egypt and Ethiopia. In the last, HackingTeam officials had denied that they dealt with such customers, but the leaked emails and other documents from the attack earlier this month showed otherwise.
After the documents became public, Netragard officials said that they only sold one exploit to HackingTeam and characterized it as en exception to the company’s normal policy of only dealing with customers in the United States. Netragard CEO Adriel Desautels said in the immediate aftermath of the breach that it was ending its relationship with HackingTeam.
“The breach of HackingTeam is a blessing in disguise. The breach exposed their customer list which contained a variety of questionable countries known for human rights violations. Their customers are the very same customers that we’ve worked so hard to avoid. It goes without saying that our relationship with them is over and we’ve tightened our vendor vetting process,” he said in a blog post on July 9.
Now, Desautels said the company has decided to end its exploit acquisition program altogether due to the ethical and political issues it involves.
We’ve decided to terminate our Exploit Acquisition Program (again). Our motivation for termination revolves around ethics, politics, and our primary business focus. The HackingTeam breach proved that we could not sufficiently vet the ethics and intentions of new buyers. HackingTeam unbeknownst to us until after their breach was clearly selling their technology to questionable parties, including but not limited to parties known for human rights violations. While it is not a vendors responsibility to control what a buyer does with the acquired product, HackingTeam’s exposed customer list is unacceptable to us. The ethics of that are appalling and we want nothing to do with it,” he said in a blog post over the weekend.
Companies such as Netragard, VUPEN, and others that develop, buy, or sell vulnerabilities and exploits have become lightning rods in the security and political realms of late. Critics question the morality of selling such tools, especially given the difficulty of knowing how buyers will use the bugs and exploits. The sellers counter that selling exploits to customers for defensive purposes or for use in law enforcement operations is a legitimate business. The debate has spurred calls for regulation of the exploit market, something that Desautels said he supports.
“If and when the 0-day market is correctly regulated we will likely revive EAP. The market needs a framework (unlike Wassenaar) that holds the end buyers accountable for their use of the technology (similar to how guns are regulated in the US). Its important that the regulations do not target 0-days specifically but instead target those who acquire and use them,” Desautels said.
“It is important to remember that hackers don’t create 0-day’s but that software vendors create them during the software development process. 0-day vulnerabilities exist in all major bits of software and if the good-guys aren’t allowed to find them then the bad-guys will.”
The Wassenaar Arrangement regulates, among other things, the export of exploits. The rules have been in place in Europe for some time, but are only now close to being implemented in the U.S. An open comment period on the Commerce Department’s Bureau of Industry and Security’s proposed implementation of the Wassenaar rules ends today.