NSS Labs late next month will open up a new online marketplace for researchers to sell their exploits to penetration testers and other buyers.
Exploit Hub is an iPhone App Store-style type marketplace that will provide researchers with a way to make money for the exploits they write for the open-source Metasploit pen-test framework, according to Rick Moy, director of independent testing lab NSS Labs. "The bad guys already have this stuff. We're trying to level the playing field," Moy says. "As soon as a patch is out there, it only takes a few hours for a competent exploit writer to reverse-engineer it with an exploit they can use."
The online marketplace model hasn't had much success in the past, however. But security researchers say Exploit Hub's approach might fare better because it's aimed at security professionals, and will vet participants as well as test the exploits before they go up for sale. It will only offer exploits for sale, not bugs like the former and now defunct WabiSabiLabi marketplace, and it won't allow exploits for any zero-day flaws -- only known vulnerabilities.
Chris Nickerson, CEO of Lares Consulting, says Exploit Hub could be mutually beneficial to both researchers and penetration testers. It will give researchers compensation for their exploit-writing work and provide in-house penetration testers without the expertise or development resources to purchase the exploits they need, he says. Even seasoned pen testers would have a place to buy exploits when they need them: "From a tester side, I'd be more than happy to invest in this because it's going to save some time of my guys [developing exploits with] Metasploit or Core plug-ins ... And it's going to give developers a more secure place to put" their exploits, he says.
There are times when writing your own exploit for a pen-testing engagement just isn't the best use of time. David Maynor, CTO at Errata Security, says writing exploits from scratch on-site can be time-consuming. "When you have a certain amount of time to test, it's a big decision: Do I write something that may work, or do I move on?" says Maynor, who says he personally prefers to write his own exploits. "I doubt I would be on-site and run into a problem and be like, 'Let me check NSS and see if they have something.' If I were to buy something, I would need to work with it for a while before using it on the client side or even better, look at how it's done, and then reimplement it myself with my own payloads so I know it's clean."
NSS Labs' Moy says Exploit Hub plans to offer an open, safe market for the buying and selling of exploits. He says it also fills a major gap in today's penetration-testing tools. "Over the past five years, there have been over 14,000 high-risk or critical vulnerabilities and if you look at the tools and count how many exploits in them [for these], there are maybe 1,000," Moy says. "So if you buy all three of these tools, you're getting less than 10 percent coverage for these high vulnerabilities.
"Our goal is to help arm pen testers and security firms with better tools. Security vendors can use them to test their products, and pen testers to test their products," he says.
NSS Labs will test and validate the exploits to ensure they work, an element of the marketplace that security researchers say is crucial.
So far financial services and entertainment firms have expressed interest in the marketplace, he says, as well as security researchers. NSS Labs is providing guidelines for pricing based on supply and demand: The going rate for an exploit could range from $50 for a Web browser or Windows client exploit to a few thousand to hundreds of thousands of dollars for a more complex Oracle exploit, he says.
Keeping the bad guys out won't be too hard, he says, because buyers will also be vetted.
Whether Exploit Hub succeeds will have a lot to do with whether pen testers embrace it and if their organizations are willing to pay for the code, experts say.
Lares' Nickerson says it could also ultimately force penetration testing vendors to more quickly turn around exploits, too, with this new exploit venue also offering exploit modules. "They [vendors] now have an unlimited timeline to release that into their framework," he says. This may force them to step up their development turnaround efforts, he says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio