5

I came across the cybersecurity company Zerodium. They offer bigger bounties than most of the companies calling for bug hunters: Bounties

Because of the bigger bug bounties, bug hunters sell their found exploits/bugs to Zerodium rather than to the company having the exploits/bugs.

On their "About us" page they don't mention what they do with their bought exploits and bugs or how they earn their money. In their faq they mention:

ZERODIUM customers are mainly government organizations in need of specific and tailored cybersecurity capabilities, as well as major corporations from defense, technology, and financial sectors, in need of protective solutions to defend against zero-day attacks. Access to ZERODIUM solutions and capabilities is highly restricted and is only available to a very limited number of organizations.

Is there any further information to their customers and what Zerodium does with their purchased exploits and bugs?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Nightscape
  • 329
  • 4
  • 12
  • 5
    They use them for extremely unethical purposes, selling them to multiple corrupt governments for use against journalists, dissidents, and the like. – forest Dec 10 '18 at 13:03
  • Downvoted due to lack of research. the answers to your questions are in their FAQ: https://zerodium.com/faq.html – schroeder Dec 10 '18 at 13:13
  • The information inside the faq is valuable and I must confess i didn't save the question "Who are ZERODIUM's customers?". My question goes i think deeper than only that and you can see that on the informative answers. – Nightscape Dec 10 '18 at 13:20
  • 3
    They don't release who their customers are any more than a hitman would. – forest Dec 10 '18 at 13:21
  • A more interesting question would be if this is legal or not, and why. And if not, why they haven't been prosecuted already. But it's off-topic here. – reed Dec 10 '18 at 18:04
  • This new question is **also** in their FAQ: "reports it, along with protective measures and security recommendations, solely to its clients as part of the ZERODIUM Zero-Day Research Feed" – schroeder Dec 10 '18 at 20:43
  • @reed what would make what they do illegal? – schroeder Dec 10 '18 at 22:08
  • @schroeder, I don't know, I even asked a question in the law community. Several things just feel so wrong. For example, the fact that they are buying and selling info that put other companies at high risk. Or the fact that I've never imagined that zero-days could have non-malicious purposes, unless they are reported to the developer. Are the buyers going to report the vulnerabilities to the devs then? It sounds like they aren't. – reed Dec 10 '18 at 22:43
  • @reed Shady? Yes. Unethical? Likely. Illegal? I'm not sure of a legal model that would apply. – schroeder Dec 10 '18 at 22:44
  • @reed When legal troubles occur, they simply move to a new country (I believe that is why they are no longer under the title VUPEN). There are a _lot_ of companies like this, some of which are major government contractors (Vencore, Raytheon SI, Leidos, BAE, etc. You know, the same guys making missiles). – forest Dec 11 '18 at 08:25
  • @reed 0days _can_ have non-malicious purposes, which is ostensibly the way ZDI operates. They buy exploits and rather than selling a weaponized version of it, they sell a product to detect the exploit signatures for big companies that want to be protected while not gifting their competitors with the same protection. Other companies don't sell the 0days explicitly, but use it to add new exploits into their exploit kits (e.g. CANVAS and Core Impact, which can be subscribed to for literally millions of dollars). – forest Dec 11 '18 at 08:28

2 Answers2

11

Zerodium is not "well-known for their big bounties", but they are well-known for aggressive marketing. They are actually fairly small players in the whole exploit broker market, and they pay up far less than they advertise. In general, companies like these will buy weaponized exploits and resell them, usually to governments which use them to, among other things, exploit and track dissidents or even journalists.

Note that the price they list is the maximum payout. The vast majority of exploits will be bought for a far lower price. It is more likely to align with the price they sell it for, as they need to make a profit as ethically-challenged opportunists. As governments have ample money from tax payers, they can afford to pay non-competitive prices and ensure that Zerodium and their ilk sell preferentially to them.

The 0day industry is composed of a number of different companies, some of which are explicitly government contractors, as well as private individuals who buy and sell exploits. Generally, you give them a weaponized exploit and they pay you slowly over a period of time. If for whatever reason the exploit is patched before they have finished paying out, they will stop paying you. This provides an incentive not to use up and burn the exploit on your own. Exploit brokers often know each other and word about which vulnerabilities are in possession travel fast, which itself makes it difficult to try to sell the same vulnerability to multiple different companies. This is true of most exploit brokers.

forest
  • 64,616
  • 20
  • 206
  • 257
4

From Wikipedia, second sentence:

Its main business is acquiring premium zero-day vulnerabilities with functional exploits from security researchers and companies, and reporting the research, along with protective measures and security recommendations, to its corporate and government clients.

And from the second reference in the Wikipedia article: Here's a spy firms price list for secret hacker techniques:

... customers, which it says include "government organizations in need of specific and tailored cybersecurity capabilities," as well as corporate customers it says use the techniques for defensive purposes

It is not publicly documented what the customers actually do with this bought knowledge and who the customers are exactly (i.e. legal and ethical aspects are not known and might actually not align with the ethics most of us have) - but it seems to be worth for them to buy these information.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424