ReVuln Emerges as New Player in Vulnerability Sales Market

It’s getting difficult these days to keep track of all of the companies, public and otherwise, that are buying and selling vulnerabilities or information on bugs, and now there’s another group on the scene: ReVuln. But, unlike other companies in the industry, ReVuln is mostly focusing its efforts on vulnerabilities in SCADA and ICS software, the applications that run utilities, industrial systems and other sophisticated systems.

ReVulnIt’s getting difficult these days to keep track of all of the companies, public and otherwise, that are buying and selling vulnerabilities or information on bugs, and now there’s another group on the scene: ReVuln. But, unlike other companies in the industry, ReVuln is mostly focusing its efforts on vulnerabilities in SCADA and ICS software, the applications that run utilities, industrial systems and other sophisticated systems.

ReVuln is led in part by Luigi Auriemma, a prolific vulnerability researcher who is known mainly for his work on SCADA software. He’s published information on dozens of security vulnerabilities in a variety of SCADA products, but also has worked on other software. Earlier this year Auriemma reported a critical vulnerability Microsoft’s RDP service that later became the center of a lot of discussion after a packet that he included in his original vulnerability report to Microsoft surfaced as part of an exploit for the bug found on a Chinese download site.

That leak led to an investigation by Microsoft that eventually found a Chinese security company had leaked information on the vulnerability. That company, Hangzhou DPTech, was removed from Microsoft’s MAPP program, a service through which Microsoft shares advance information on vulnerabilities with various security companies before public releases.

Auriemma’s new venture is a move toward keeping information about vulnerabilities and exploits private, rather than turning new discoveries over to affected vendors or third-party brokers such TippingPoint’s Zero Day Initiative. Auriemma said his intention is to forego the usual responsible disclosure routine of handing off information on new bugs to Microsoft or Cisco or any other vendor and then waiting for the company to patch the flaw on its timetable. 

Instead, ReVuln will provide information on a subscription basis to customers who pay for the company’s “zero-day feed”, an email-based service that will provide data on newly discovered vulnerabilities in a variety of software platforms. 

“Our plan is to not adopt the responsible disclosure except those cases in which there is no market or we prefer to see the bugs fixed. The idea is basically to continue what I have done till now but with a team and a different handling of the vulnerabilities and their market,” Auriemma said in an interview.

Unlike some other companies in this market, ReVuln won’t be buying bugs from other researchers and reselling them. The business is based on original vulnerability research by Auriemma and his partner, Donato Ferrante, a former researcher at RIM. In that respect, the ReVuln business is similar to that of VUPEN, the French firm that does original security research and sells its findings to private customers.

In the current climate, this is a lucrative, if controversial, business to be in. Information on privately discovered vulnerabilities is at a premium, with government agencies, defense contractors and other groups clamoring for exploits they can use against their various targets. Private bug sales have been going on for a long time, but it’s only within the last few years that the business has really become formalized and ben brought out into the open to a certain degree.

Earlier this year a group of researchers from the Zero Day Initiative left to form their own firm, Exodus Intelligence, which runs a vulnerability purchase program to buy bugs from other researchers, among other services. Auriemma said that his company’s target market is companies looking for information to help them better defend their networks, not groups looking for offensive security information.

“Our target is mainly the defensive security providing information only to selected companies and governments. Currently we don’t have limitations regarding the types of software to test but obviously SCADA and ICS systems are our priority,” he said. “For the rest we provide consulting and training services.”

The security of SCADA and ICS systems has become a hot topic in recent months as attacks on utilities and critical infrastructure systems have bubbled up into the mainstream media and become a political football

Suggested articles