There’s a new entrant to the ethically grey-scaled world of cyber-arms/defense-dealing: Zerodium.
As its name suggests, it specializes in acquiring zero-day exploits. And then selling them off.
The start-up is backed by Vupen, the French vulnerability dealer that has often drawn controversy for brokering exploits to the highest bidder. Though it says it won’t deal with “oppressive governments,” Vupen has been criticized for eschewing the concept of community-minded white-hat research in favor of fueling a kind of cyber-arms race by delivering advanced capabilities into the hands of governments and others that can end up in the wrong hands—i.e., the Stuxnet effect.
For its part, Zerodium bills itself as an effort “to build a global community of talented and independent security researchers working together to provide the most up-to-date source of cybersecurity research and capabilities.”
It goes on to say that it has been founded by cybersecurity veterans with “unparalleled experience in advanced vulnerability research and exploitation,” and that it will essentially function like a third-party bug bounty program, rewarding independent researchers for their zero-day discoveries. From there, it will analyze, document and report the findings to its clients (organizations and governments), “along with protective measures and security recommendations.”
This could be seen in two lights, however. From the details, it could appear that Zerodium is looking to stockpile an arsenal of extremely dangerous, effective, and above all valuable weapons of cyber-destruction.
To wit: Its exploit acquisition program for security researchers will pay top dollar for what it stresses must be fully-functional exploits. Fully functional—i.e., fully weaponized. And Zerodium says it will pay much more than existing bug bounty programs from vendors; i.e., it will pay a researcher more for an exploit for Google Chrome than Google will. And presumably, with no intention of ever informing Google—or Google’s users—of the issue, because that kind of altruistic research would run counter to its business model.
The laundry list of what it’s seeking to pay for includes compromises for top targets like Joomla and Wordpress, web browsers, Flash, Apache, OpenSSL, mobile OS and more.
Obviously, there are plenty of legit applications for such a service. And there are also plenty of nefarious actors that would pay big money for that intel.
Zerodium seems to have anticipated that concern and added a disclaimer on its website: “Access to Zerodium solutions and capabilities is highly restricted and we will only respond to requests from eligible corporations and organizations.”
Zerodium says that its customers are major corporations in defense, technology and finance, in need of advanced zero-day protection, as well as government organizations in need of specific and tailored cybersecurity capabilities.
Of course, there’s always the possibility for unintended consequences. Jeremiah Grossman, founder and CTO of WhiteHat Security, told Infosecurity in an interview last year that this type of business model creates a whole new incentive for ecosystem members to go to the dark side.
"As 0-days go for six to seven figures, imagine the temptation for rogue developers to surreptitiously implant bugs in the software supply chain," he commented. "It's hard enough to find vulnerabilities in source code when developers are not purposely trying to hide them."