ORLANDO–The buying and selling of exploits for zero-day vulnerabilities in software is perhaps the most controversial topic in the security community over the last few years, but the CEO of a company that used to be one of the main players in that world said the market is misunderstood and not the hive of evil many observers believe it to be.
“The market itself is entirely misrepresented,” Adriel Desautels, CEO of Netragard, said in a talk at the InfoSec World conference here Tuesday. “They’re high value but very low volume. There’s a very small amount of players.”
The number of companies that buy and sell exploits is hard to put a finger on, but it’s a relatively small pool. Netragard no longer sells exploits, but there are a handful of other companies that do, including Zerodium, a firm that pays premiums for exploits for zero days. What’s even less well-known than the number of organizations buying these exploits from researchers is the volume and kind of organizations who then buy the exploits from brokers and use them. Law enforcement agencies in many countries are buyers in this market, but there are private companies that buy, too.
“The government isn’t the only party buying these things. We sold our fair share of exploits to private companies, and they pay the fair market value,” Desautels said.
Desautels made the decision to get Netragard out of the exploit broker business last year after the breach of Hacking Team, an Italian company that sells intrusion and surveillance software. Netragard had sold exploits to the firm, and documents that became public after the breach showed that Hacking Team had sold its software to oppressive regimes. Desautels said those revelations made him rethink the exploit brokerage business and ultimately to get out of it altogether.
“Our motivation for termination revolves around ethics, politics, and our primary business focus. The HackingTeam breach proved that we could not sufficiently vet the ethics and intentions of new buyers,” he wrote in a blog post at the time.
In his talk Tuesday, Desautels said the ethical issues in the exploit business are considerable.
“The idea of good and bad people is really subjective,” he said. “We can’t control the ethics of the people using the zero days. We can only hope and use our best judgment. We operated by more of a code of ethics than anything else.”
Various efforts to regulate or control the exploit market have been forwarded in recent years, most notably the Wassenaar Arrangement, which regulates dual-use technologies, including software exploits. But Desautels said nothing has ever effectively controlled exploit sales, as there will always be a thriving black market for exploits, regardless of controls on the legitimate market.
“There never was and still isn’t anything that can control what zero days can do,” he said.
Desautels also said that he believes zero days are far less dangerous to typical users than known vulnerabilities are.
“A zero day doesn’t really put all of you at risk. Do you really think someone is going to buy a really cool exploit and then spray it across a bunch of people?” he said. “They’re going to use it for very surgical things. Covert action is really important with zero days. Exposure is a very valuable tool.”