A newly launched vendor that buys and sells exploits is making a play to corner the world’s most dangerous attacks.
In the wake of the Hacking Team’s massive leak that revealed details about the murky world of selling and buying exploits, a new company, Zerodium, has emerged in the hope of becoming the go-to company for exclusively “high risk vulnerabilities with fully functional/reliable exploits”.
As ThreatPost noted, Zerodium is the brainchild of well-known hacker Chaouki Bekrar, the founder of Vupen, a French security firm that develops its own exploits that are sold to clients but doesn’t buy exploits.
The venture-backed company claims it will pay more than any other bug bounty for zero day flaws, including those run by Google, Mozilla and third-party bounties such as the Microsoft- and Facebook-backed Internet Bug Bounty.
Despite Silicon Valley firms offering tens of thousands of dollars in cash rewards, Zerodium could easily out-bid them. The startup doesn’t say how much it will pay for a bug, but an analysis by researcher Vlad Tsyrklevich of Hacking Teams’ leaked internal correspondence indicates Vupen wanted at least $100,000 to part with each high quality exploit it developed, while correspondence from US-based exploit broker Netragard suggested an exclusive exploit for iOS could fetch as much as $1 million.
By contrast, Google’s top payout to date is about $40,000 for a string of flaws, and the company’s largest payment for a single flaw is $20,000. Microsoft offers $100,000 for an exploit that bypasses Windows’ anti-exploitation technologies.
“We only acquire high-risk flaws accompanied by a fully functional and reliable exploit leading to arbitrary code execution, or privilege escalation, or sandbox bypass/escape, or sensitive information disclosure,” Zerodium says on its FAQ.
Zerodium explains that it’s filling a gap in the vulnerability acquisition market, the majority of which “focus on quantity instead of quality”, and as such is willing to out-do the low-value payments from Silicon Valley.
The company intends to use the bugs it buys to form part of its security research “feed” and claims its customers include “major corporations in defense, technology, and finance, in need of advanced zero-day protection, as well as government organizations in need of specific and tailored cybersecurity capabilities.”
The startup is on the hunt for bugs and exploits affecting all the usual suspects that have a wide impact, ranging from the latest Windows, OS X, Android and iOS, to browsers, Flash, web server software, email services, popular web applications like WordPress as well as networking devices.
However, it isn’t interested in bugs that could be used to attack Facebook’s or Google’s servers and urges researchers to report them to the vendor’s official bug bounty program. It also won’t accept bugs from researchers located in nations facing sanctions from the US or UN.
Zerodium has arrived on the exploit acquisition scene as others make their exit and the move comes as the US plans to step up regulations on the export of software exploits.
Earlier this month Netragard announced it would terminate its Exploit Acquisition Program after Hacking Team’s leak revealed a relationship between the two companies and that exploits it sold to Hacking Team may have been used by governments with questionable human rights records — an outcome Netragard said it worked hard to avoid.
Tsyrklevich’s analysis revealed that Vupen was one of a dozen companies that it acquired exploits from, though emails indicated the relationship was strained due to competitive reasons.
This article is brought to you by Enex TestLab, content directors for CSO Australia.