Post-PWN2OWN: Are Exploit Sellers Playing Nicer?

PWN2OWN paid money for security attacks. It could mark a turning point controversy over exploit sellers, says Tom Brewster

At last year’s PWN2OWN contest, exploit seller VUPEN caused a stir. Despite having won thousands by revealing a flaw in Google’s Chrome browser, it would not reveal the details of the vulnerability to the tech giant. The French firm’s CEO said it wouldn’t have even handed information to Google if $1m was on the table.

Yet at this year’s PWN2OWN, after uncovering a host of vulnerabilities in major pieces of software, VUPEN handed over all details to the relevant vendors, including Adobe, Microsoft, Mozilla and Oracle.

Exploit sellers in general have been labelled as merchants of death in the past, providing nation states with the tools to spy on people, as well as giving protection to a select few (i.e. their customers) rather than all Internet users. That’s because their customers pay them hundreds of thousands, whereas vendors pay comparative peanuts. But has VUPEN signalled a change in tack? Is it getting nicer?

Security vulnerability - Shutterstock - FuzzBonesPWN2OWN makes exploit seller smile

To some extent, yes. Even though it won’t admit it.

In an email conversation, VUPEN CEO Chaouki Bekrar tells me the main reason the firm decided to share this time at PWN2OWN was the amount of money on the table. Tellingly, the amount Bekrar’s team won did not amount to more than $1m. In fact, its overall winnings were less than half of that. Just a year ago, they would have scoffed at the idea of handing over information for such paltry sums – now they’re more than happy to do so.

This openness has had an immediate impact. Mozilla moved quickly to patch, whilst the other vendors are actively working on fixes. As PWN2OWN findings are not publicly released, vendors are given breathing room to work on effective patches.

Even more positively, researchers had to work for months on breaking the software, whilst patching has so far been quick to arrive. And Chrome OS came out unscathed, leaving over £2 million of prize money untouched. Could it be that software is getting more secure?

And instead of the pugnacity of 2012, VUPEN is verging on amicable. Bekrar is, ostensibly, happy to work with vendors. He believes that more money will lead to greater sharing from vulnerability researchers, creating a more secure Internet.

“We tried without success during years to entice major vendors such as Microsoft to decently reward researchers for their hard work,” he tells me.

“Maybe vendors such as Microsoft and Adobe should not pay for vulnerabilities (or proof-of-concept codes) if it’s against their internal policies or ideology.

“They should, however, consider paying high rewards for fully functional exploits or for new techniques, this would help them learn from researchers and make their products much more secure. If they need our feedback and assistance on such a project, we will be glad to contribute.”

The message from this section of the vulnerability research community is clear though: if vendors paid more money, more users would be protected. Given security is a major selling point now, and how much cash tech giants are sitting on, it would come as no surprise if more substantial prize funds appeared.

That still might not do much to improve the reputation of exploit sellers amongst left-leaning Internet activists, however. Asking for more money tends not to make one look saintly.

Are you a security expert? Try our quiz!