Zerodium: A new Zero-Day market specializes in buying zero-day exploits and then selling them off.
The relation between Hacking Team and the Zero-day vendors began way back in 2009, when the Hacking Team slowly started its transition from an information security consultancy into a surveillance business. Initially they started purchasing the exploit packs from D2Sec and VUPEN. In 2013, Hacking Team joined its hands with multiple contacts that included Netragard, Vitaliy Toropov, Vulnerabilities Brokerage International, and Rosario Valotta.
However, after the Hacking Team mega breach which happened in the beginning of this month, Netragard has decided to leave the business of buying and selling exploits and vulnerabilities. To fill this space, there is a new entrant in this field, Zerodium, with some familiar names to back it up.
Zerodium, is a Zero-day acquisition company launched by Chaouki Bekrar, the founder of VUPEN.
VUPEN, a French vulnerability and exploit broker which is known for its research work and development in the field of zero-day exploits. It does not buy vulnerabilities or exploits from any outside sources. On the other hand, VUPEN has always been in the news for brokering the exploits to the highest bidder. However, since the Hacking Team breach, the so called ethically grey-scaled world of cyber arms is drawing attention from media, government officials and the lawmakers and it is under these circumstances that Bekrar has created his new venture, Zerodium, that would be completely focusing on the purchase of zero day exploits and selling them off.
As per Zerodium: “It plans to to build a global community of talented and independent security researchers working together to provide the most up-to-date source of cybersecurity research and capabilities.” In addition, Zerodium also mentions that its founders are some of the well known cybersecurity veterans who are known for their  “unparalleled experience in advanced vulnerability research and exploitation.”
Zerodium would mainly focus on buying only the high risk vulnerabilities leaving aside the lower end of the spectrum, thus acting as a third party bug bounty program. In the process, Zerodium also plans to reward the independent researchers for their contribution in discovering the zero-day exploits. Further, Zerodium would be analyzing, documenting and reporting these vulnerabilities and exploits to its clients which would include the organizations and government; also providing them with “protective measures and security recommendations”.
It can thus be interpreted that Zerodium is actually planning on accumulating an arsenal of extremely dangerous, powerful and valuable weapons which has the potential of cyber destruction.
Now, why do we say so? It is because, the major criteria of Zerodium’s exploit acquisition program is that it wants the exploits to be fully functional and it is ready to pay the security researchers the highest amount for their work. Zerodium says it is ready to pay much more than what the vendors are ready to pay for the existing bug bounty programs, for instance if a security researcher finds an exploit in Google Chrome then Zerodium would pay the researcher much higher amount than what Google is ready to pay. Thus, in this case, neither the researcher would inform Google nor the Chrome users regarding the exploit. So in a way, Zerodium would be the sole owner of this fully working cyber exploit / cyber weapon.
Mostly Zerodium would be looking for vulnerabilities and exploits related to the commonly used platforms and applications such as Windows, OS X, Linux and the browsers which includes Microsoft, Android, iOS, Blackberry and Windows Phone. Also the major Web and mail servers. Thus, Zerodium seems to be ready to pay any amount for some of the top targets that includes Joomla, WordPress, web browsers, Flash, Apache, OpenSSL, smartphone OS and many more. The major stress is on fully functional exploits, the company is not interested in partially working exploits or vulnerabilities.
Zerodium has put up a disclaimer on its website which reads: “Access to Zerodium solutions and capabilities is highly restricted and we will only respond to requests from eligible corporations and organizations.”
Zerodium has also mentioned that some of its esteemed customers are in the need of advanced zero-day protection as well as certain exclusive tailor-made cyber security requirements and these customers are the major corporations from Defense, Technology, Finance and Government organizations.
Definitely when the common platforms start having bugs there could be unforeseen consequences. Though VUPEN says it would not be dealing with “oppressive governments” however it has been criticized earlier for abandoning the concept of community-minded WhiteHat research in favor of feeding a kind of cyber arms race by giving out advanced cyber exploits and vulnerabilities in the hands of governments and others which can ultimately end in the wrong hands, for example the Stuxnet effect.
While speaking to Infosecurity, Jeremiah Grossman, founder and CTO of WhiteHat Security said that such a type of business model gives encouragement to the business ecosystem members to go to the dark side. Grossman commented: “As 0-days go for six to seven figures, imagine the temptation for rogue developers to surreptitiously implant bugs in the software supply chain.” He then added: “It’s hard enough to find vulnerabilities in source code when developers are not purposely trying to hide them.”
