Insight Into the Zero-Day Vulnerability Business
August 14, 2015
An ironic security breach grants a rare glimpse into the workings of an outfit that sells information on security vulnerabilities, we learn from “Hacking Team: a Zero-Day Market Case Study” at Vlad Tsyrklevich’s blog. Software weak spots have become big business. From accessing sensitive data to installing secret surveillance software, hackers hunt for chinks in the armor and sell that information to the highest (acceptable) bidder. It seems to be governments, mostly, that purchase this information, but corporations and other organizations can be in the market, as well. The practice is, so far, perfectly legal, and vendors swear they only sell to the good guys. One of these vulnerability vendors is Italian firm Hacking Team, known for its spying tools. Hacking Team itself was recently hacked, its email archives exposed.
Blogger Vlad Tsyrklevich combs the revealed emails for information on the market for zero-day (or 0day) vulnerabilities. These security gaps are so named because once the secret is out, the exposed party has “zero days” to fix the vulnerability before damage is done. Some may find it odd just how prosaic the procedure for selling zero-days appears. The article reveals:
“Buyers follow standard technology purchasing practices around testing, delivery, and acceptance. Warranty and requirements negotiations become necessary in purchasing a product intrinsically predicated on the existence of information asymmetry between the buyer and the seller. Requirements—like targeted software configurations—are important to negotiate ahead of time because adding support for new targets might be impossible or not worth the effort. Likewise warranty provisions for buyers are common so they can minimize risk by parceling out payments over a set timeframe and terminating payments early if the vulnerability is patched before that timeframe is complete. Payments are typically made after a 0day exploit has been delivered and tested against requirements, necessitating sellers to trust buyers to act in good faith. Similarly, buyers purchasing exploits must trust the sellers not to expose the vulnerability or share it with others if it’s sold on an exclusive basis.”
The post goes on to discuss pricing, product reliability, and the sources of Hacking Team’s offerings. Tsyrklevich compiles specifics on dealings between Hacking Team and several of its suppliers, including the companies Netragard, Qavar, VUPEN, Vulnerabilities Brokerage International, and COSEINC, as well as a couple of freelancing individuals. See the article for more on each of these (and a few more under “miscellaneous”). Tsyrklevich notes that, though the exposure of Hacking Team’s emails has prompted changes to the international export-control agreement known as the Wassenaar Arrangement, the company itself seems to be weathering the exposure just fine. In fact, their sales are reportedly climbing.
Cynthia Murrell, August 14, 2015