Back in 2007, I participated in a panel discussion about full disclosure. Half the members wanted software vulnerabilities kept secret -- give the developer time to fix the problem. The other half argued for making the vulnerabilities public -- force the developers' hand.
The moderator didn’t like a tie, and tried as hard as he could to change the outcome, but the members were resolute.Fast forward to 2010.
Sometime during November of 2010, one of the panel members (and friend) called, "Everything's changed. Google's paying to keep vulnerabilities quiet. I sent you the link."
Sure enough, Google is buying vulnerabilities. Still, my friend was not completely accurate. Google was paying for what they call "responsible disclosure," not complete secrecy, but that's splitting hairs.
Back to the present
Early this year, the "keep secret" versus "full disclosure" versus "pay-for-vulnerability" debate lost its relevance. There's a new and lucrative way to monetize vulnerabilities. Christopher Soghoian was among the first to shed light on the issue. In this ZDNet interview, Ryan Naraine quotes Soghoian:
"VUPEN, FinFisher, and HackingTeam are among a handful of companies that buy and sell zero-day vulnerabilities, exploits, and remote monitoring tools to governments around the world."
Really, to governments? Naraine continues:
"Soghoian said these companies are purchasing vulnerabilities and exploits at prices ranging from $50,000 to $100,000 and work hard to keep them a secret forever. It's well known that companies like VUPEN never report vulnerabilities to vendors like Microsoft or Adobe."
I'm thinking that keeping the exploits zero-day does not bode well for us.
Kiss full disclosure goodbye
Towards the end of March 2012, Andy Greenberg of Forbes wrote two articles about the new vulnerability market: "The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees)"and "Shopping For Zero-Days: A Price List For Hackers' Secret Software Exploits." Greenberg even assembled a price list.
The dollar amount is per qualified vulnerability. According to Greenberg:
"Each price assumes an exclusive sale, the most modern version of the software, and, of course, not alerting the software's vendor. Some fees might even be paid in installments, with each subsequent payment depending on the vendor not patching the security vulnerabilities used by the exploit."
Who has that kind of money?
What I really wanted was corroboration for Soghoian, and Greenberg provided it. He asked a security trader (The Grugq) deeply involved in trading vulnerabilities, "Who's paying these prices?"
"Western governments and specifically the U.S., says Grugq, a native of South Africa. He limits his sales to the American and European agencies and contractors not merely out of ethical concerns, but also because they pay more."
Greenberg then points out who isn't buying:
"Selling a bug to the Russian mafia guarantees it will be dead in no time, and they pay very little money, Grugq says, explaining that he has no contacts in the Russian government. Russia is flooded with criminals. They monetize exploits in the most brutal and mediocre way possible, and they cheat each other heavily."
Nor the Chinese:
"As for China, Grugq says the country has too many hackers who sell only to the Chinese government, pushing down prices. The market is very depressed. Other regions like the Middle East and the rest of Asia can't match Western prices either."
That was March, and I've been trying to figure out what it all means since.
More to it than we think
I shouldn't need to introduce Bruce Schneier. If you read my stuff, you know I value his opinion. And, he has a pretty good idea where this latest trend is heading. In this Forbes article, he mentions:
"Regardless of the motivations, a disclosed vulnerability is one that -- at least in most cases -- is patched. And a patched vulnerability makes us all more secure."
"This is why the new market for vulnerabilities is so dangerous; it results in vulnerabilities remaining secret and unpatched. That it's more lucrative than the public vulnerabilities market means more hackers will choose this path."
Remember my mentioning that Schneier has an idea where this will lead, well here it is:
"And unlike the previous reward of notoriety and consulting gigs, it gives software programmers within a company incentive to deliberately create vulnerabilities in the products they're working on -- and then secretly sell them to some government agency."
For once, I'm hoping Bruce Schneier is wrong. But, I doubt it. I've already read where high-level contestants who normally compete in Pwn2Own aren't any more. They would rather keep what they found secret, and make the big bucks.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.