A bug broker who claimed he got as much as $200,000 for an exploit has closed shop because buyers took so long to evaluate the vulnerabilities that some bugs ended up being patched first.
Nutragard, a New Jersey-based vulnerability assessment and penetration testing firm, shut down its Exploit Acquisition Program Sunday, said Adriel Desautels, the company's chief technology officer.
"The buyers have incredibly deep pockets, but there was just a lot of red tape," said Desautels of the pool of exploit and vulnerability buyers he and a partner had assembled. "They just don't seem able to work within a reasonable shelf life of an exploit."
Nutragard launched the Exploit Acquisition Program in January 2007, and brokered deals between security researchers and private buyers. According to Desautels, payments for exploits averaged around $17,000 to $18,000, with one as high as $200,000. He would not name the buyers, or confirm whether they included government agencies, but said that they used the purchased exploits to silently patch software and conduct additional research for intrusion detection-style defences.
It was never a problem finding buyers willing to pay, Desautels said, or sellers with high-quality exploits. It was the timing that broke the business model.
"One month is ideal, three months is okay, but more than three months is unacceptable," he said. "The time to close these deals went from one to three months to an average of four months. But the last one lasted seven months, and then the deal fell through because [the vulnerabilities] were all silently patched in the next development cycle."
Exploits do have a shelf life, agreed Pedram Amini, manager of security research at 3Com's TippingPoint, which runs a bug bounty program called Zero Day Initiative (ZDI). Security researchers hoping to profit from their discoveries obviously want a fast turn-around for fear that the vulnerability may also be found by someone else, or patched by the vendor.
"We can do things a lot faster," said Amini," because we're not selling the exploit or vulnerability. All we need to do is validate the information, so our turn-around time is much faster." ZDI's average, he said, was about two weeks. But for a Microsoft vulnerability, it could be as fast as just two days between receiving a vulnerability and making an offer to the researcher.
TippingPoint doesn't sell the information acquired through ZDI, but uses it to develop intrusion protection system protection filters; TippingPoint also notifies the affected vendor, then waits until a patch is released before disclosing the vulnerability publicly.
"It's difficult for a couple of guys to do this," said Amini. "The trust factor is definitely there, and 3com is a big name."
Desautels wasn't sure what would happen to the exploits found by the researchers he was working with, or others like them who might have turned to his Exploit Acquisition Program.
"I've known these people for years, and all of them are not the kind of people who would go to the black market," he said one moment. "But the others [buying exploits and vulnerabilities] are paying nothing in comparison to the prices we were getting," he added the next.
"Three thousand, five thousand, that's very much unfair in my opinion. I've never cut a check for as low as $5,000," he said, taking a swipe at ZDI and its main rival, VeriSign's iDefense Vulnerability Contributor Program. "These people are effectively highly-qualified quality control testers," said Desautels, who wring out bugs that vendors should have caught.
"A high-priced market is just not viable at the moment, but I'd jump back in it in a minute if [buyers] get their act together and pay more attention to shelf life."