Historically ethical researchers would provide their findings free of charge to software vendors for little more than a mention. In some cases vendors would react and threaten legal action citing violations of poorly written copyright laws that include but are not limited to the DMCA. To put this into perspective, this is akin to threatening legal action against a driver for pointing out that the breaks on a school bus are about to fail.
This unfriendliness (among various other things) caused some researchers to withdraw from the practice of full disclosure. Why risk doing a vendor the favor of free work when the vendor might try to sue you?
Organizations like CERT help to reduce or eliminate the risk to security researchers who wish to disclose vulnerabilities. These organizations work as mediators between the researchers and the vendors to ensure safety for both parties. Other organizations like iDefense and ZDI also work as middlemen but unlike CERT earn a profit from the vulnerabilities that they purchase. While they may pay a security researcher an average of $500-$5000 per vulnerability, they charge their customers significantly more for their early warning services. Its also unclear (to us anyway) how quickly they notify vendors of the vulnerabilities that they buy.
The next level of exploit buyers are the brokers. Exploit brokers may cater to one or more of three markets that include National, International, or Black. While Netragard’s program only sells to National buyers, companies like VUPEN sell internationally. Also unlike VUPEN, Netragard will sell exploits to software vendors willing to engage in an exclusive sale. Netragard’s Exploit Acquisition Program was created to provide ethical researchers with the ability to receive fair pay for their hard work; it was not created to keep vulnerable software vulnerable. Our bidding starts at $10,000 per exploit and goes up from there.
Its important to understandwhat a computer exploit is and is not. It is a tool or technique that makes full use of and derives benefit from vulnerable computer software. It is not malware despite the fact that malware may contain methods for exploitation. The software vulnerabilities that exploits make use of are created by software vendors during the development process. The idea that security researchers create vulnerability is absurd. Instead, security researchers study software and find the already existing flaws.
The behavior of an exploit with regards to malevolence or benevolence is defined by the user and not the tool. Buying an exploit is much like buying a hammer in that they can both be used to do something constructive or destructive. For this reason it’s critically important that any ethical exploit broker thoroughly vet their customers before selling an exploit. Any broker that does not thoroughly vet their customers is operating irresponsibly.
What our customers do with the exploits that they buy is none of our business just as what you do with your laptop is not its vendors business. That being said, any computer system is far more dangerous than any exploit. An exploit can only target one very specific thing in a very specific way and has a limited shelf life. It is not entirely uncommon for vulnerabilities to be accidentally fixed thus rendering a 0-day exploit useless. A laptop on the other hand has an average shelf life of 3 years and can attack anything that’s connected to a network. In either case, its not the laptop or the exploit that represents danger it’s the intent of its user.
Finally, most of the concerns about malware, spyware, etc. are not only unfounded and unrealistic, but absolutely absurd. Consider that businesses like VUPEN wants to prevent vendors from fixing vulnerabilities. If VUPEN were to provide an exploit to a customer for the purpose of creating malware then that would guarantee the death of the exploit. Specifically, when malware spreads antivirus companies capture and study it. They would most certainly identify the method of propagation (the exploit) that in turn would result in the vendor fixing the vulnerability.