The sale of zero-day exploits is a highly controversial topic, but the debate has recently taken on a new tone. Instead of being centered on the money or the ethics of it, the debate has become centered on the issue of personal freedoms and liberties.
A debate is taking place right now, and it has little to do with the current election cycle in the United States. This debate centers on the sale of vulnerabilities and exploits and it goes back for as long as the practice has existed; this time, however, it comes with a new twist.
The high point in this debate took place in 2009 when a group of researchers, well-known within the security community, announced to the crowd at CanSecWest, a hacker convention in Vancouver, their “No More Free Bugs” intention. In essence, the researchers, who were annoyed that security researchers and vulnerability hunters were often not being properly compensated for their discoveries, told the world that they basically just wanted to get paid, in true capitalistic spirit. “Vendors have been getting a freebie for a while,” said Dino Dai Zovi, one of the researchers. “[But] why would I want to sit down and volunteer to find a bug in someone’s browser when it’s a nice, sunny day outside?”
Since then, however, the debate has taken on a much different tone. Back in 2009, no one knew or even considered the scope or threat of spy viruses and zero-day exploits. There was no Stuxnet, no Flame, no Gauss, but as nations, especially the United States, began using cyber weaponry and beginning a modern-day arms race, governments are paying a king’s ransom for zero-day exploits, which are attacks for which there is no defense. In essence, researchers today are selling their exploits to people who want to use them, rather than fix them.
In case you didn’t catch that, let me emphasize what a huge fundamental shift this represents. Researchers are becoming very incentivized to find vulnerabilities and create exploits which can be used by governments to launch attacks. This, in turn, means that they are less incentivized to report those same vulnerabilities to the vendor to be patched, even as bug bounty programs become more prominent. This has created a new breed of security researcher, a sort of mercenary security researcher who stands to make hundreds of thousands of dollars by selling their exploits to the highest bidder.
Vupen Security, based in France, is one of the most well-known groups of these mercenary security researchers. Andy Greenberg of Forbes reported about them in March, and noted that their business model is very risky.
“In that shady but legal market for security vulnerabilities, a zero-day exploit that might earn a hacker $2,000 or $3,000 from a software firm could earn 10 or even 100 times that sum from the spies and cops who aim to use it in secret … [Vupen CEO Chaouki] Bekrar claims that it carefully screens its clients, selling only to NATO governments and “NATO partners.” He says that Vupen has further “internal processes” to filter out nondemocratic nations and requires buyers to sign contracts that they won’t reveal or resell their exploits. But even so, he admits that the company’s digital attack methods could still fall into the wrong hands. “We do the best we can to ensure it won’t go outside that agency,” Bekrar says. “But if you sell weapons to someone, there’s no way to ensure that they won’t sell to another agency.”
This mindset has prompted the Electronic Frontier Foundation, or the EFF, an internet civil liberties group, to argue in a blog post that same month that the researchers and governments involved in these deals are both responsible for making the internet less safe. Some coders felt attacked by the EFF, believing that they were implying that government regulations were necessary in order to oversee exploit sales. As a result, instead of focusing on money the debate has now switched into a debate about personal freedom and libertarianism. Some researchers consider any attempts to regulate the trade in exploits to be an attack on the free market. They believe in their right to sell their research to any viable buyer, even if that buyer happens to be another government; anything preventing them from doing this is seen as an unfair infringement on their basic rights.
I will continue to keep my eyes on this story; I don’t claim to have all the answers. Exploit hunters have a right to profit from their discoveries, but there is something to be said for transparency and accountability. Hopefully a resolution can be reached soon, because when governments are purchasing high-powered, offensive cyber weapons that could easily fall into the wrong hands or result in massive collateral damage, we’re probably better off knowing about it.