More Exploits For Sale Means Better SecuritySelling exploits can help companies test their systems, but is there room for an independent market?
For a decade, security researchers have been able to earn money by selling the details of significant vulnerabilities to bounty programs: first to the Vulnerability Contributor Program launched by iDefense in 2002, and then to TippingPoint's Zero Day Initiative, which went live in 2005.
Extending the model, security research and testing firm NSS Labs launched ExploitHub, an app store model for the sale of code to exploit known vulnerabilities. Preapproved buyers can browser the store and pay anywhere from $50 to $1,000 for ready-to-use exploit code.
Yet the mix of attack code has been anemic. A look at ExploitHub shows that sellers are hawking code that attacks Oracle, Novell, and a handful of Windows vulnerabilities. NSS Labs hopes to change that: Last week, the company introduced a voting system for buyers to specify vulnerabilities of interest, as well as a prize system that pays a bounty for posting code to exploit the flaws. The company plans to pay between $200 to $500 for working attacks that target specific vulnerabilities in Internet Explorer and Adobe Flash.
By providing exploits that are in greater demand, defenders are better served, says Rick Moy, CEO of NSS Labs.
"The bad guys have the ability to create these exploits and launch them maliciously," he says. "But the good guys don't even have access to those exploits, so they can't test their defenses to tell whether they are secure or not."
While zero-day attacks -- targeting previously unknown and unpatched vulnerabilities -- are a wide concern, companies need to test their security against known vulnerabilities as well. The majority of firms delay rolling out patches, and to make sure that they are not leaving themselves vulnerable to attack, must be able to block the exploitation of their software.
By selling exploits for known flaws, ExploitHub helps IT security teams and penetration testers check an organization's security, and it keeps software vendors pressured to push out patches for major vulnerabilities, says Marc Maiffret, chief technology officer for eEye Digital Security, a network and host-based security firm.
"I think the more we can do to get people to do vulnerability research and report issues to vendors rather than selling it to some bad guys out there, the better," he says.
ExploitHub also offers an alternative to researchers. While it might not be as lucrative as selling original vulnerabilities to the two major bounty programs, which typically pay up $1,000 to $5,000 for significant security flaws, it offers a legitimate choice to selling their coding services to the criminal markets.
"You will have a lot of people out there who want to make exploits, and they may not be able to get a job with a pen-testing firm," says Thomas Kristensen, chief security officer for vulnerability management firm Secunia. "There will be room for an ExploitHub."
NSS Labs' Moy points to the 15,000 to 17,000 critical vulnerabilities found in the past five years as an enormous opportunity for attackers and, thus, for exploit writers who want to help defenders do their jobs better. The major penetration-testing tools -- Immunity's Canvas, Core Security's Core Impact, and Metasploit, which is now maintained by Rapid7 -- have exploits for some 1,000 vulnerabilities. The gap represents a great opportunity, Moy says.
"The zero-day stuff is all sexy and hot ... and that is fine, but in the big picture of security, the zero-day stuff is a narrower facet of the problem," he says.
Yet eEye's Maiffret is not sold on the viability of a market for non-zero-day flaws.
"Who cares if you have exploits for known vulnerabilities?" he says. "If you are a company getting exploited by known vulnerabilities, your security is not doing its job."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.