Exploit Merchant Vupen Plots London Base

Vupen, a zero-day vulnerability research company that sells into global governments, is to set up an office in London, the firm’s CEO has told TechWeekEurope.

The French company, once described as a “modern-day merchant of death”, offers subscriptions to its research findings, which include information on zero-day vulnerabilities that governments or private firms can use for either defensive or offensive means.

“We are setting up an office in London, I cannot say more,” said Chaouki Bekrar, CEO of Vupen. TechWeekEurope understands the company could arrive in London in the next few months.

Bekrar was not forthcoming on any other details, such as pricing. It is believed that subscriptions start at $100,000, but go into the millions depending on what the client wants.

The government and GCHQ are thought to be keen on improving cyber offensive operations and were recently advised by MPs to step up attack research. They may well be targets for Vupen’s sales people.

Selling ‘burglary tools’

Vupen’s business model does not sit well with some in the security community, who believe that by not revealing vulnerabilities to the wider market, the company is placing others at risk, as they do not know about serious flaws affecting their software portfolio. Others are worried the exploit-selling industry is supplying tools that will speed up the realisation of all-out cyber warfare, given that highly sophisticated malware like Stuxnet have been shown to exploit numerous zero-days at once.

A number of government contractors are believed to be involved in the exploit-selling industry, including Raytheon, Northrop Grumman and Lockheed Martin. Other specialist players like Vupen include Netragard, Endgame and Errata Security.

Talking about Vupen’s move to the UK, professor of security engineering at the University of Cambridge, Ross Anderson, said zero-day vulnerability sellers essentially sold “burglary tools”. Ten years ago, the flaw finding market was less problematic, according to Anderson, as it helped establish a community that helped companies know about potential dangers in advance.

“In the last few years, things have changed. The worrying problem we see now is that programmers, security contractors, are holding back on or potentially creating vulnerabilities,” he added

Anderson was also concerned that researchers were knowingly writing bugs into open source software to later expose them and earn money from them

In a recent article in Forbes, notable security researcher and BT employee Bruce Schneier slammed the model. “This new market perturbs the economics of finding security vulnerabilities. And it does so to the detriment of us all,” he wrote. “It results in vulnerabilities remaining secret and unpatched. That it’s even more lucrative than the public vulnerabilities market means that more hackers will choose this path.”

Bob Tarzey, security analyst at Quocirca, agreed with Schneier’s sentiments. “It is in the interests of all software users (government and commercial) and suppliers to get vulnerabilities fixed,” he said.

“If governments in effect join the dark side and buy vulnerabilities for their own use, then they remain deployed at customer sites and may be discovered and exploited by anyone. Governments entering the market will drive up prices and stoke the market. They should encourage openness instead.”

At the time of publication, Bekrar had not responded to a request for a response to some of the comments above.

Are you a security guru? Try our quiz!