A bug broker who claimed he got as much as $200,000 for an exploit closed shop this weekend because buyers took so long to evaluate the vulnerabilities that in some cases, the bugs were patched and deals made moot.
Netragard LLC, a New Jersey-based vulnerability assessment and penetration testing firm, shut down its Exploit Acquisition Program yesterday, said Adriel Desautels, the company's chief technology officer. "The buyers have incredibly deep pockets, but there was just a lot of red tape," said Desautels of the pool of exploit and vulnerability buyers he and a partner had assembled. "They just don't seem able to work within a reasonable shelf life of an exploit."
Netragard launched the Exploit Acquisition Program in January 2007 and brokered deals between security researchers and private buyers. According to Desautels, payments for exploits averaged between $17,000 and $18,000, with one as high as $200,000. He would not name the buyers or confirm whether they included government agencies but said that they used the purchased exploits to silently patch software and conduct additional research for intrusion-detection-style defenses.
It was never a problem finding buyers willing to pay, Desautels said, or sellers with high-quality exploits. It was the timing that broke the business model.
"One month is ideal, three months is OK, but more than three months is unacceptable," he said. "The time to close these deals went from one to three months to an average of four months. But the last one lasted seven months, and then the deal fell through because [the vulnerabilities] were all silently patched in the next development cycle."
Exploits do have a shelf life, agreed Pedram Amini, manager of security research at 3Com Corp.'s TippingPoint Technologies Inc., which runs a bug bounty program called the Zero Day Initiative (ZDI). Security researchers hoping to profit from their discoveries obviously want a fast turnaround for fear that the vulnerability may also be found by someone else or patched by the vendor.
"We can do things a lot faster because we're not selling the exploit or vulnerability," said Amini. "All we need to do is validate the information, so our turnaround time is much faster." ZDI's average is about two weeks, he said. But for a Microsoft vulnerability, it could be as fast as just two days between receiving a vulnerability and making an offer to the researcher.
TippingPoint doesn't sell the information acquired through ZDI, but rather uses it to develop intrusion-protection system filters. TippingPoint also notifies the affected vendor and then waits until a patch is released before disclosing the vulnerability publicly.
"It's difficult for a couple of guys to do this," said Amini. "The trust factor is definitely there, and 3Com is a big name."
Desautels wasn't sure what would happen to the exploits found by the researchers he was working with, or others like them who might have turned to his Exploit Acquisition Program.
"I've known these people for years, and all of them are not the kind of people who would go to the black market," he said. "But the others [buying exploits and vulnerabilities] are paying nothing in comparison to the prices we were getting," he added.
"Three thousand, five thousand -- that's very much unfair, in my opinion. I've never cut a check for as low as $5,000," Desautels said, taking a swipe at ZDI and its main rival, VeriSign Inc.'s iDefense Vulnerability Contributor Program.
"These people are effectively highly qualified quality-control testers" who wring out bugs that vendors should have caught, he said, adding, "A high-priced market is just not viable at the moment, but I'd jump back in it in a minute if [buyers] get their act together and pay more attention to shelf life."