Israel, Britain, Russia, India and Brazil are some of the biggest spenders. North Korea is in the market, as are some Middle Eastern intelligence services. Countries in the Asian Pacific, including Malaysia and Singapore are buying too, according to the Center for Strategic and International Studies in Washington.
To connect sellers and buyers, dozens of well-connected brokers now market information on the flaws in exchange for a 15 percent cut. Some hackers get a deal collecting royalty fees for every month their flaw lies undiscovered, according to several people involved in the market. Some individual brokers, like one in Bangkok who goes by “the Grugq” on Twitter, are well known. After the Grugq spoke to Forbes last year his business took a hit from the publicity according to a person familiar with the impact, primarily because buyers demand confidentiality.
A broker’s approach need not be subtle. “Need code execution exploit urgent,” read the subject line of an e-mail sent from one contractor’s intermediary last year to Billy Rios, a former security engineer at Microsoft and Google who is now a director at Cylance, a security startup.
“Dear Friend,” the e-mail began. “Do you have any code execution exploit for Windows 7, Mac, for applications like Browser, Office, Adobe, SWF any.”
“If yes,” the e-mail continued, “payment is not an issue.”
For startups eager to displace more established military contractors, selling vulnerabilities — and expertise about how to use them — has become a lucrative opportunity. Firms like Vupen in Montpellier, France, Netragard in Acton, Massachusetts, Exodus Intelligence in Austin, Texas, and ReVuln, Auriemma and Ferrante’s Maltese firm, freely advertise that they sell knowledge of the flaws for cyberespionage and in some cases for cyberweapons.
Outside Washington, a Virginia startup named Endgame — in which a former director of the NSA is playing a major role — is more elusive about its abilities. It has developed a number of tools that it sells primarily to the US government to discover vulnerabilities, which can be used for fighting cyber-espionage and for offensive purposes.
Like ReVuln, none of the companies would disclose the names of customers. Adriel Desautels, the founder of Netragard, said that his clients were “strictly US-based” and that Netragard’s “exploit acquisition program” had doubled in size in the past three years. The average exploit now sells from around US$35,000 to US$160,000.
Chaouki Bekrar, the founder of Vupen, said his company did not sell to countries that are “subject to European Union, United States or United Nations restrictions or embargoes.” He also said revenue was doubling every year as demand surged for sophisticated exploits. Vupen charges customers an annual US$100,000 subscription fee to shop through its catalog of exploits, and then charges per exploit. Costs depend on the sophistication of the vulnerability and the pervasiveness of the operating system.
ReVuln specializes in finding remote vulnerabilities in industrial control systems that can be used to access — or disrupt — water treatment facilities, oil and gas pipelines and power plants.
“They are engaging in willful blindness,” said Christopher Soghoian, a senior policy analyst at the American Civil Liberties Union.