The Shadowy World Of Selling Software Bugs - And How It Makes Us All Less Safe

"Pssst, wanna buy some software bugs?" It's not talked about much, but selling software vulnerabilities is big business. And the practice has surprising implications for software security - and even national security.

It turns out government agencies are willing to pay six figures for exclusive details on exploitable flaws in software and operating systems, and there are plenty of companies and bug brokers ready to sell to the highest bidder. But with so much backdoor trading, who is watching to make sure the bad guys - from criminals to terrorists or hostile nations - do not get this valuable information?

The answer is no one.

How Selling Bugs Began

One of the first security researchers credited with selling an exploitable flaw was Charlie Miller, a former employee of the National Security Agency who now works for the consulting firm Accuvant. In 2005, Miller found a vulnerability in the Linux operating system and sold it to the U.S. government for $80,000.

"The government official said he was not allowed to name a price, but that I should make an offer," Miller told SecurityFocus. "And when I did, he said OK, and I thought, 'Oh man, I could have gotten a lot more.'"

Today's Bug Market

Today, many software makers offer bounties for vulnerabilities. So far this year, Google has spent more than $290,000 for vulnerabilities in its Chrome browser and recently raised the minimum bonus to $1,000.

A number of companies buy bugs and then sell them back to software makers on a subscription basis. Examples include iDefense and Zero Day Initiative, which pay from $500 to $20,000 for vulnerabilities.

But the big money is chased by companies like Endgame Systems, Netragard and Vupen Security. They focus on the more lucrative market of selling bugs to government agencies that use the information to hack computers and phones of crime suspects and intelligence targets. However, their customers also can include large corporations.

In February, Vupen, which publicly promotes it services, let its team of hackers loose on Google Chrome to win a hackathon held by Hewlett-Packard. At the same security conference, Vupen snubbed a similar contest held by Google, which paid each of two winning hackers $60,000. To Vupen the prize was pocket change, since it would have had to hand over details of the flaw to Google.

"We wouldn’t share this with Google for even $1 million," Vupen chief executive Chaouki Bekrar told Forbes. "We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers."

Also in the high end of the market are so-called "bug brokers" who negotiate deals for vulnerability hunters. One such broker goes by the pseudonym "The Grugq." A noted security expert himself, The Grugq sells to the highest bidder, typically a U.S. or European government agency, and charges a 15% commission, according to an interview in March with Forbes.

As you would expect, bugs in the most popular softare - Windows, Microsoft Office, Apple's iOS, Web browsers, etc. - earn the highest prices. And with so much money at stake, it's no wonder that plenty of smart, ambitious hackers are spending endless hours tearing apart popular software looking for vulnerabilities - and finding them.

No Laws, Few Rules

The selling of software vulnerabilities is perfectly legal. In fact, consulting firm Frost & Sullivan named Vupen the 2011 Entrepreneurial Company of the Year.

The problem is in who buys the information. People may believe it's OK when a U.S. government agency is the purchaser, but what about intelligence agencies from other countries, possibly ones hostile to the U.S.? Exploitable bugs can also find their way to cyber-criminals who could use them in large-scaled malware attacks on home or business computers.

The Critics

Among the most vocal critics of vulnerability trading is Christopher Soghoian, a principal technologist and policy analyst for the American Civil Liberties Union. In a presentation at the Virus Bulletin conference in September, Soghoian argued the need for some form of oversight of the industry.

"If the industry wants to avoid regulation, it needs to regulate itself," Soghoian said.

A Need For Regulation?

Self regulation appears unlikely. But a regulated exploit market is not unprecedented. Germany, for example, has strict laws that not only make it illegal to sell exploits, but also to distribute them for free.

But there's no consensus here in the U.S. Some experts argue that regulating the industry is like trying to regulate guns. Laws are in place through out the country, yet criminals still have guns.

Others argue there should be restrictions on exports, while the domestic market remains open. The problem with this strategy is it might encourage stockpiling of exploits, which carries its own risks.

There are no easy answers, but it's time for lawmakers to look at the industry before an exploit sold on the open market is used in an attack that empties bank accountes, steals state secrets or disrupts the power grid.

In the aftermath of such an large-scale infrastructure attack, the rush to regulation is unlikely to produce good policy. That's why we need to address the issue now.

 

Images courtesy of Shutterstock.