Private Software Flaw Sales Leave Dangerous Gaps in Security: Report

A survey of 10 years of software vulnerability sales shows that private groups have access to an average of nearly 60 exploitable software flaws unknown to the general public.

Software vulnerability programs and marketplaces give security professionals a place to sell their research, but also segment the community into groups of "haves" and "have-nots," allowing each private group to hold an average of 58 security flaws about which the public has no knowledge, according to a report released by security consultancy NSS Labs on Nov. 5.

While the two major third-party programs—iDefense's Vulnerability Contributor Program (VCP) and HP TippingPoint's Zero-Day Initiative (ZDI)—have bought 2,392 vulnerabilities and turned the information over to software vendors, a number of other firms pay for software vulnerabilities and sell the resulting exploits to penetration testers, government agencies and other groups who use the flaws as cracks in the digital armor of their adversaries.

The result of the sales, however, is that vulnerabilities were known to private groups, but not the public, for an average of 151 days, according to the NSS Labs' "The Known Unknowns" report.

The report underscores that while vulnerability bounties and third-party sales have likely boosted researchers' efforts to find security issues in common applications, the result has not necessarily led to a more secure software ecosystem, Stefan Frei, NSS Labs' research director, told eWEEK.

"This shows that, if someone is really after you, they will not have a problem in finding the tools to go after you," Frei said. "In the past, only nation-states could afford the best weapons—the fighter jets and missiles. But in cyber, if you are a target, and [if] in breaching you I can get a million dollars, then it's worth paying $200,000 to buy an exploit from a private organization."

The market for information about software flaws has grown enormously in the past few years. While the Vulnerability Contributor Program (VCP) and the Zero-Day Initiative (ZDI) were the first to offer a bounty for vulnerabilities in 2002 and 2005, respectively, nearly a dozen companies, including Facebook, Google, Mozilla, and most recently Microsoft, now pay researchers who turn in information about security issues in their software.

While the beneficial programs limit vulnerability information to trusted third parties and the developers of the impacted software, non-defensive groups resell the information to a wide base of customers. Those organizations privately buy vulnerabilities from researchers and sell access to attack code capable of exploiting the vulnerabilities to a limited clientele, offering access to approximately 100 exclusive exploits per year, according to Stefan Frei, NSS Labs' research director.

Since those vulnerabilities are known by private groups while the public continues to blindly use unpatched software, attackers have the advantage, Frei said.

"If you are a valuable target, you have to assume that you are already compromised and that you will get compromised again," he said. "Prevention is limited, so you should have a process and tools to help you identify as early as possible if there is an attacker in your network."

The length of time that private groups have access to vulnerability information has increased over time. The time between discovery of a software vulnerability and the release of a patch has increased to about 200 days in 2012, up from less than 50 days in 2002, the report stated.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...