The head of French security firm Vupen Security has categorically denied rumours that hackers stole data on 130 zero day exploits from the company, describing the claims as “bullshit.”
According to the research company’s CEO, Chaouki Bekrar that is the story – there is no story.
“To make things very clear, the imaginary compromise story is just bullshit, nothing happened at all. Sorry to the trollers,” he said on Twitter.
The claim had earlier surfaced on more than one blog, before being repeated on Twitter, resulting in some stern criticism from other security notables.
“Maybe we need to take the claims with a pinch of salt unless something shows up which suggests it might be true,” posted Graham Cluley of Sophos on one blog.
“Of course, if it *was* true it would be big news. But at the moment everyone is just re-tweeting a rumour.”
If a company like Vupen had been hacked, it would indeed be big news. It is a research house that makes money by discovering valuable vulnerabilities, ideally unpatched ‘zero days’, which are then revealed to paying customers. Such data is dangerous enough that its theft and possible sudden release on this scale would be unprecedented.
Vupen is most famous for its impressive compromises of Google's Chrome browser during the 'Pwnium' open hacking event. Its non-disclosure modus operandi remains controversial in some quarters.
Given that not a shred evidence has been offered of any hack having happened, Bekrar’s denial stands up.
Howver, the speed at which such unsubstantiated claims sweep the Internet underlines the febrile nature of security in a week LinkedIn appears to have suffered a major password breach.
Nobody fully trusts anyone or anything anymore and almost anything – even the incredible possibility that US Government might have developed super-malware – seems possible.