Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:59 AM

How The Sale Of Vulnerabilities Will Change In 2013

Bug-hunting mercenaries changing the vulnerability-buying marketplace

The market for the sale of zero-day vulnerabilities fundamentally shifted this year and, heading into 2013, bug hunters will increasingly play by a set of new rules, vulnerability experts say. As the sale of black market zero-day exploits continues to take off and new gray market players make a fortune selling information about exploit techniques and unpatched vulnerabilities to corporations and nation states, vulnerability researchers are starting to pull the punches on how much public disclosure they offer about their discoveries.

In years past, researchers would freely explain their exploit techniques and methods for bypassing specific security mitigations within targeted software when disclosing a vulnerability, says Brian Gorenc, manager of TippingPoint DVLabs at HP, which through the Zero Day Initiative (ZDI) pays researchers for responsibly disclosing vulnerabilities. ZDI is one of the early leaders in the vulnerability white market, paying bounties for bugs and facilitating disclosure and eventual patching by the affected software vendors. But that spirit of openness about exploit techniques is starting to go the way of the dodo, he says.

[Which applications and vendor dominated the vulnerability and exploit headlines in 2012? See The Vulnerability 'Usual Suspects' Of 2012.]

"I have a feeling that in the coming years that those techniques are going to come out less and less because of the value that is placed upon them," he says. "Because finding the vulnerability, for some of these guys, isn't the hard part. It's working around the mitigations once they've found it."

As he explains it, as security measures in operating systems and software improves and these mitigation bypass methods become more difficult, researchers are considering them a key differentiator so that "the techniques they're using to actually do exploitation are tightly held secrets for them." It is no wonder, considering that these exploits sold on the free market are fetching big sums of cash.

And it is not just worth money to the purely black market players selling to any takers, criminal or not. There are those who occupy a shadowy gray market, selling information to nation states and corporations interested in using it for spy work, offensive security, and also simply just bolstering their protections through improved visibility into the threat landscape.

Regardless of who the customer is, the overarching commonality among researchers willing to sell their vulnerabilities outside the traditional white market is that disclosure to a vendor means an eventual patch, which inevitably cuts off the revenue stream for that golden nugget of technical knowledge. And considering that the ultimate goal of players like ZDI is to eventually get the vulnerabilities they pay researchers for disclosed to the vendor for patching, many researchers are forgoing the easy cash of a vendor bounty for bugs in favor of trying their luck hawking flaws on the open market.

"When you look at the motivations for the people in the black market, they want to keep vulnerabilities unpatched, right?" Gorenc says. "Same for the gray market when they're selling information about zero days there. Once those zero days are patched, that information's not as valuable as it was when it was unpatched."

It's why research firm Vupen, which sells exploit and vulnerability information on a subscription basis to customers, told Forbes earlier this year that it wouldn't share its exploit techniques with Google "for even $1 million." The comment was in reference to an incident last March where Vupen went head-to-head with Google over the search giant's request that as a competitor in the CanSecWest Conference Pwn2Own competition, Vupen turn over all of its exploit technique information. Vupen refused, conference organizers backed up the decision, and Google eventually pulled its sponsorship of the event, a contest that HP stepped in to back and Vupen eventually won. In a similar turn of events on the disclosure side, Vupen recently announced that it found some of the first ways to get around Windows 8 security mitigations and went on the record to state it wouldn't be disclosing the vulnerabilities to Microsoft.

For its part, Vupen says it doesn't sell its vulnerability information to cybercriminals or oppressive governments, sticking primarily with corporate customers and what it deems the more cuddly variety of nation states. But many in the market are far more mercenary, says Frank Artes, research director for NSS Labs, a research and testing firm that often buys zero-day vulnerabilities to use for testing the effectiveness of heuristics in endpoint and network security products.

"They'll sell to whomever offers the money for the product that they're looking to sell, and they'll often sell it to several people at once," he says. "It's not an exclusive thing unless, of course, ironically enough, in the terms and conditions of the sale they are actually selling variants of the attack that they have committed not to sell to somebody else."

While this kind of attitude will continue to grow in 2013, Gorenc predicts, he also believes there's still room in the world for researchers willing to make a smaller amount of cash while helping the public good through responsible disclosure to vendors.

"We're definitely seeing the marketplace become more complex, but there's always room for the people operating in the white market. Not everybody's a bad guy," he says. "Not everybody's weaponizing and using the vulnerabilities for evil. There's always going be people out there who want to do that research, want to be compensated well for that researchm and get the bugs fixed and improve the overall security posture of the industry."

Nevertheless, the new dynamics posed by black market and grey market premiums on secrecy has changed the vulnerability-buying game. The pressure is making it such that many zero days have a life cycle where they may first hit the black market or grey market and then gain new legs being sold as a "new" vulnerability on the white market some time later.

"It's not uncommon to see the life cycle of these zero days being sold first within the black market and then surfacing afterward and being resold again to like the HPs of the world or Sourcefires and so forth and then, of course, eventually into groups like us," Artes says. "It's an interesting blur because the people that we do watch we know sell to government agencies and every once in a while will throw us a bone or allow us to bid on something."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/7/2012 | 12:22:25 PM
re: How The Sale Of Vulnerabilities Will Change In 2013
-Really insightful article and very
important issue you approached in this article! I personally agree with Gorenc
predicts and I believe that while this kind of attitude will continue to grow
in 2013, there's still room in the world for researchers willing to help the
public good through responsible disclosure to vendors. Also, I would like to
add that since most large organizations rely on a mix of COTS hardware, 3rd
party software applications, communication technologies, and custom code to run
their IT infrastructure, itGs difficult to apply a single security assessment
solution to ensure adequate coverage and protection.- If organizations want to better understand
where they are most vulnerable, they need to view their systems
holistically.- To better understand what
I mean, I recommend this article: http://blog.securityinnovation....
Hope you enjoy it!
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
An overly permissive CORS policy in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows a remote attacker to leak cross-origin data via a crafted HTML page.
PUBLISHED: 2021-04-14
An SQL Injection issue in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows an administrative user to execute arbitrary SQL commands via a username in api/security/userinfo/delete.
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI.
PUBLISHED: 2021-04-14
Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system funct...