A noted seller of exploits has launched a mysterious new program to allow bug hunters to sell for a high price.
Image: Michael Schreifels/Flickr
In recent years, tech companies like Google and Facebook, among others, have begun offering bounties to friendly hackers who tell them about bugs or holes in their software so that they can fix or patch them.
The rise of these so-called "bug bounties" has created an entire new breed of startups dedicated to connecting independent white hat (ethical) hackers to companies that might have insecure software. This has created a legal market that has helped hackers make millions of dollars in rewards and companies plug holes that could have otherwise been exploited by black hat (not so ethical) hackers.
But there's also a small, controversial gray market, where highly skilled hackers sell rare, valuable bugs and exploits—called "zero-days" because they are unknown to the vendor or company who could patch them—to intelligence agencies around the world.
One of the people living in that world is the famous hacker Kevin Mitnick, for example. Another of those sellers, the French security firm VUPEN, was once famously called a "modern-day merchant of death."
Bekrar is ready to strike back with a new, somewhat mysterious, startup that lives in that same gray world.
In the past, the company's founder, Chaouki Bekrar, has certainly embraced the role of the bad guy, using Darth Vader as his Twitter avatar. Now, after months of relative quiet (the company's website has been practically empty since last year), and with rumors circulating that VUPEN might be dead, Bekrar is ready to strike back with a new, somewhat mysterious startup that lives in that same gray world.
Bekrar, who has sold to the likes of the NSA, launched the new startup on Thursday. It's called Zerodium, a play on the Latin word "dium," the plural of "gods."
"We see so many security researchers being frustrated by the lack of decent rewards for critical vulnerabilities," Bekrar told me in an email. "There are plenty of bug bounty programs out there but absolutely none of them is a premium zero-day acquisition platform focusing on high-end research and exploits."
Many details of this new venture are murky right now.
Berkrar said Zerodium is different from bug bounty startups such as Bugcrowd, HackerOne or Synack because it's a "high-end," "premium" service to help researchers sell exploits and bugs that are "discovered, held, or sometimes stockpiled by talented researchers around the globe."
Zerodium, he added, will make money selling "major corporations" and "government organizations" a subscription to a "feed," from which they'll be able to get information about the exploits. This feed will include "detailed technical information about each vulnerability and its exploitation techniques, as well as a defense guidance to protect against attacks."
But Bekrar declined to say whether the end goal of Zerodium is for the customers to patch their systems, or for governments to exploit the vulnerabilities themselves to hack and spy on surveillance targets.
He explained that Zerodium will analyze, document, and report all the information "along with protective measures and security recommendations" to its clients. But when I asked him whether Zerodium will also report the vulnerabilities to the vendors, he declined to answer.
Zerodium, according to its site, won't accept bugs and exploits for online services such as Facebook or Google, but will accept those that affect major operating systems, web browsers, mobile phones, and applications such as Adobe Flash Player or Microsoft Office.
Other than this, Bekrar isn't talking too much. He declined, for example, to identify who else is behind the company, only saying it was founded by a "group of security researchers backed by private investors."
"I have doubts that such a business is viable."
Dan Guido, the founder of security firm Trail of Bits, is skeptical that Zerodium, or Exodus, which is another similar company, actually have a real place in the market. The problem is that given the kind of bugs they go after, Guido said, these companies won't be "overwhelmingly popular among enterprises."
The information provided by Zerodium or Exodus, he added, is not "intelligence" that could be used by a financial firm's security teams, for example.
"I would hesitate to even call it intelligence, it's just a list of bugs at that point," he told Motherboard in an email. "I think it's pretty clear that Zerodium and Exodus are going after the same target market, and I don't think that market is very large."
Presumably, governments or vendors of government hacking and surveillance tools like Hacking Team might be more interested. But it's hard to estimate how thriving that kind of market actually is, as we know so little about how agencies such as the FBI or NSA acquire and use zero-days. (The NSA, it has to be noted, has a budget of $25 million to acquire such vulnerabilities.)
"I have doubts that such a business is viable if he only has a customer or two in the US," Guido said.
An early company providing such services, Endgame, left this market saying that "the exploit business is a crummy business to be in."
Moreover, the pending and controversial export controls that the US Government is currently contemplating could pose other risks for a company such as Zerodium. (It's not even clear where it's based, and thus what regulations it has to follow.) Depending on how the regulations shape up, researchers and companies might end up needing export licenses to sell bugs and exploits, which could hinder the entire market.Bekrar, who declined to say whether he's still working for VUPEN, said Zerodium is in contact with "many security researchers who are very excited about the project and its incentives." But the company still has no customers, he added, since it just launched and its focus is on "building a strong service" before approaching customers.