Private Software Flaw Sales Leave Dangerous Gaps in Security: Report
A survey of 10 years of software vulnerability sales shows that private groups have access to an average of nearly 60 exploitable software flaws unknown to the general public.Software vulnerability programs and marketplaces give security professionals a place to sell their research, but also segment the community into groups of "haves" and "have-nots," allowing each private group to hold an average of 58 security flaws about which the public has no knowledge, according to a report released by security consultancy NSS Labs on Nov. 5. While the two major third-party programs—iDefense's Vulnerability Contributor Program (VCP) and HP TippingPoint's Zero-Day Initiative (ZDI)—have bought 2,392 vulnerabilities and turned the information over to software vendors, a number of other firms pay for software vulnerabilities and sell the resulting exploits to penetration testers, government agencies and other groups who use the flaws as cracks in the digital armor of their adversaries. The result of the sales, however, is that vulnerabilities were known to private groups, but not the public, for an average of 151 days, according to the NSS Labs' "The Known Unknowns" report. The report underscores that while vulnerability bounties and third-party sales have likely boosted researchers' efforts to find security issues in common applications, the result has not necessarily led to a more secure software ecosystem, Stefan Frei, NSS Labs' research director, told eWEEK.
"This shows that, if someone is really after you, they will not have a problem in finding the tools to go after you," Frei said. "In the past, only nation-states could afford the best weapons—the fighter jets and missiles. But in cyber, if you are a target, and [if] in breaching you I can get a million dollars, then it's worth paying $200,000 to buy an exploit from a private organization."