Claims surfaced earlier this week that the French security firm VUPEN, which is known for selling zero-day vulnerabilities to third parties, had been compromised and more than 100 of the company’s secret bugs had been leaked. However, VUPEN’s CEO said that the claims were totally false and there was no hack, let alone a leak of the company’s vulnerability inventory.
The claims of the hack on VUPEN seem to have started from a a few tweets and a one-paragraph blog post with no identified source. Chaouki Bekrar, CEO of VUPEN, said in an email that there was nothing at all to the suggestion that his company had been compromised.
“The hack rumor is false of course,” Bekrar said.
“I do not have any specific information on the origin of the rumour, anyway it can potentially be a destabilisation attempt originating from a software vendor who does not appreciate our research work.”
VUPEN’s business is selling vulnerabilities to a variety of organizations, including some governments. The company is circumspect about exactly who its clients are, but Bekrar says that VUPEN does not sell to oppressive regimes or other suspect organizations.
“We only sell to democracies. We respect international regulations, of course, and we only sell to trusted countries and trusted democracies,” he said in an interview in March at the CanSecWest conference. “We do not sell to oppressive countries.”
Still, VUPEN has more than its share of critics and detractors, many of them quite vocal. The company’s business model, not to mention its inventory of zero-day vulnerabilities, would make it a clear target for a variety of attackers. Getting access to the company’s store of bugs would be a huge coup for any competitor or detractor of VUPEN.
Some software vendors have been quite vocal in their criticism of what VUPEN does and how the company conducts its business. However, it’s somewhat difficult–but not impossible–to imagine a major software vendor starting a disinformation campaign against VUPEN, just to try and discredit the company. VUPEN is far from the only company in the business of selling bugs; it’s just the most vocal and visible one. If VUPEN were to go away tomorrow, there would be plenty of competition to pick up the slack, and companies such as Google, Microsoft and Apple, whose products are the target of the bugs VUPEN sells, would still have vulnerabilities and there still would be buyers for them.