How The Sale Of Vulnerabilities Will Change In 2013

The market for the sale of zero-day vulnerabilities fundamentally shifted this year and, heading into 2013, bug hunters will increasingly play by a set of new rules, vulnerability experts say. As the sale of black market zero-day exploits continues to take off and new gray market players make a fortune selling information about exploit techniques and unpatched vulnerabilities to corporations and nation states, vulnerability researchers are starting to pull the punches on how much public disclosure they offer about their discoveries.

In years past, researchers would freely explain their exploit techniques and methods for bypassing specific security mitigations within targeted software when disclosing a vulnerability, says Brian Gorenc, manager of TippingPoint DVLabs at HP, which through the Zero Day Initiative (ZDI) pays researchers for responsibly disclosing vulnerabilities. ZDI is one of the early leaders in the vulnerability white market, paying bounties for bugs and facilitating disclosure and eventual patching by the affected software vendors. But that spirit of openness about exploit techniques is starting to go the way of the dodo, he says.

[Which applications and vendor dominated the vulnerability and exploit headlines in 2012? See The Vulnerability 'Usual Suspects' Of 2012.]

"I have a feeling that in the coming years that those techniques are going to come out less and less because of the value that is placed upon them," he says. "Because finding the vulnerability, for some of these guys, isn't the hard part. It's working around the mitigations once they've found it."

As he explains it, as security measures in operating systems and software improves and these mitigation bypass methods become more difficult, researchers are considering them a key differentiator so that "the techniques they're using to actually do exploitation are tightly held secrets for them." It is no wonder, considering that these exploits sold on the free market are fetching big sums of cash.

And it is not just worth money to the purely black market players selling to any takers, criminal or not. There are those who occupy a shadowy gray market, selling information to nation states and corporations interested in using it for spy work, offensive security, and also simply just bolstering their protections through improved visibility into the threat landscape.

Regardless of who the customer is, the overarching commonality among researchers willing to sell their vulnerabilities outside the traditional white market is that disclosure to a vendor means an eventual patch, which inevitably cuts off the revenue stream for that golden nugget of technical knowledge. And considering that the ultimate goal of players like ZDI is to eventually get the vulnerabilities they pay researchers for disclosed to the vendor for patching, many researchers are forgoing the easy cash of a vendor bounty for bugs in favor of trying their luck hawking flaws on the open market.

"When you look at the motivations for the people in the black market, they want to keep vulnerabilities unpatched, right?" Gorenc says. "Same for the gray market when they're selling information about zero days there. Once those zero days are patched, that information's not as valuable as it was when it was unpatched."

It's why research firm Vupen, which sells exploit and vulnerability information on a subscription basis to customers, told Forbes earlier this year that it wouldn't share its exploit techniques with Google "for even $1 million." The comment was in reference to an incident last March where Vupen went head-to-head with Google over the search giant's request that as a competitor in the CanSecWest Conference Pwn2Own competition, Vupen turn over all of its exploit technique information. Vupen refused, conference organizers backed up the decision, and Google eventually pulled its sponsorship of the event, a contest that HP stepped in to back and Vupen eventually won. In a similar turn of events on the disclosure side, Vupen recently announced that it found some of the first ways to get around Windows 8 security mitigations and went on the record to state it wouldn't be disclosing the vulnerabilities to Microsoft.

For its part, Vupen says it doesn't sell its vulnerability information to cybercriminals or oppressive governments, sticking primarily with corporate customers and what it deems the more cuddly variety of nation states. But many in the market are far more mercenary, says Frank Artes, research director for NSS Labs, a research and testing firm that often buys zero-day vulnerabilities to use for testing the effectiveness of heuristics in endpoint and network security products.

"They'll sell to whomever offers the money for the product that they're looking to sell, and they'll often sell it to several people at once," he says. "It's not an exclusive thing unless, of course, ironically enough, in the terms and conditions of the sale they are actually selling variants of the attack that they have committed not to sell to somebody else."

While this kind of attitude will continue to grow in 2013, Gorenc predicts, he also believes there's still room in the world for researchers willing to make a smaller amount of cash while helping the public good through responsible disclosure to vendors.

"We're definitely seeing the marketplace become more complex, but there's always room for the people operating in the white market. Not everybody's a bad guy," he says. "Not everybody's weaponizing and using the vulnerabilities for evil. There's always going be people out there who want to do that research, want to be compensated well for that researchm and get the bugs fixed and improve the overall security posture of the industry."

Nevertheless, the new dynamics posed by black market and grey market premiums on secrecy has changed the vulnerability-buying game. The pressure is making it such that many zero days have a life cycle where they may first hit the black market or grey market and then gain new legs being sold as a "new" vulnerability on the white market some time later.

"It's not uncommon to see the life cycle of these zero days being sold first within the black market and then surfacing afterward and being resold again to like the HPs of the world or Sourcefires and so forth and then, of course, eventually into groups like us," Artes says. "It's an interesting blur because the people that we do watch we know sell to government agencies and every once in a while will throw us a bone or allow us to bid on something."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.