Hackers use brokers to sell software vulnerabilities

Published 1 February 2007

Although programs such as ZDI and VCP are popular, hackers can earn ten times the bounty by going through SNOSoft; significant flaw research can earn as much as $120,000; smart disclosure falls by the wayside

An ongoing question in the IT security world revolves around the question of whether a researcher or analyst who discovers a security flaw should publically reveal what he has found. The question is critical because the company whose software contains the flaw may not be as interested in fixing it as the consumer, and without public disclosure users may not ever be aware of their own vulnerabilities. Yet if the vulnerability is disclosed before the company can issue a patch, hackers will quickly sieze on the newly revealed opportunity. One solution is called smart disclosure, which involves the researcher informing the company first, providing adequate time for it to fix the problem, and then announcing it publicly.

Of course, the above is premised on the idea that the researcher is a well-intentioned academic thinking nothing of material gain. The more avaricious have found that they can do much better — economically, not morally — by selling information related to software vulnerabilities. When they want to do so, they often turn to Adriel Desautels, co-founder of security group Secure Network Operations Software (SNOSoft), whose main job is as a broker of hacker data between researchers and third parties. “Significant flaw research,” he explained recently, could be sold for more than $75,000. “I’ve seen these exploits sell for as much as $120,000,” Desautels told SecurityFocus.

The practice is increasingly common, with flaw bounty programs such as TippingPoint’s Zero-Day Initiative (ZDI) and iDefense’s Vulnerability Contributor Program (VCP) making it easier and adding institutional legitimacy. (Microsoft, for example, patched at least seventeen flaws reported by the two programs in 2006.) Desautels, however, works independently with freelance researchers. “One of the reasons why the hacking community is so frustrated with large corporations is because these corporations are making a killing off their research and they are not seeing fair value for their work,” Desautels said. Going through Desautels is also much more lucrative than using ZDI or VCP, with prices said to be five and ten times higher. “We continually have to justify where we recoup the cost,” said 3Com’s Terri Forslof. “Mainly, we consider that we recoup it in research—look how much you would have to pay a top-notch researcher.”

-read more in Robert Lemos’s SecurityFocus report