Ethics of the 0-day trade
This is an opinion piece, and an opinion that I am fully aware of, can be controversial in some sectors of the cybersecurity industry. Still, selling the state of the cybersecurity of customers, that most of us are doing our outmost to protect from the nefarious underbelly of the Internet, is actively undermining the security. And yes, I feel that it is actively undermining the security, to sell 0-days to brokers, on the darknet or companies on the Internet, instead of disclosing them to the vendors for patching.
Before getting to the trade with 0-days, I would like to begin with the reasons for the rewards scheme that most companies have begun using to get vulnerability researchers to disclose them responsibly, instead of selling them to brokers on the darknet. Back in the late 1990’s and early 2000’s, a vulnerability researcher approaching a vendor with a bug report ran a very real risk of getting sued or accused of hacking the vendor. Back then, a responsible researcher would have to contend with some very aggressive behavior on the parts of the various vendors – something I, even back then, thought was short-sighted.
In many cases the vulnerabilities were released to sites like SecurityFocus and Bugtraq, instead of the vendors directly, but in the early 2000’s, in 2003 to be exact, a company called iDefense started a business model that would pay hackers for access to the various vulnerabilities they found in software. A huge shift in thinking from the previous way of doing vulnerability research. As a researcher, you could now make money on the weaknesses you found in software from the various vendors. In the beginning it was not a lot of money, the bounties started out at $75 apiece. Not really getting-rich-quick money.
This was obviously not something that sat well with the big software vendors, like Microsoft, Oracle, and the like. At the Black Hat conferences in the years after 2003, you could see corporate security peoples screaming at hackers about the ethics of selling the bugs to vendors like iDefense. In defense of iDefense, the bugs were released to the vendors for fixing. iDefense made their money by protecting their clients against these vulnerabilities until such time as the vendors had released fixes for them. As I see it, that was a very ethical way of doing business. The bugs were still out there, but now iDefense could protect their customers, because they knew of the vulnerabilities.
The security of the software systems was beginning to become more and more political and sensitive to the vendors, at the same time the public became aware of the importance of the software systems in their lives and democracies. The big stories of the time were the ILOVEYOU virus and code red and in 2003 the SQL Slammer worm made it around the world in minutes. Software security was now on the lips of everybody.
At this same time, iDefense started to get calls from ‘contractors’ asking if they were interested in withholding some of the bugs they had paid $400 for by receiving $150.000 for it. Oh, and not tell anybody that they had done so.
We can read from the section above that the trade and importance of 0-days was important to the US almost 20 years ago. Make no mistake, buying 0-days is something every single country does now, not just US. Yes, that includes your country as well. If a bug was worth $150.000 to some agency/contractor back then, then the various software vendors were left with a serious conundrum, how to get the researcher to submit the bugs, instead of selling them on some gray markets? Hence was born the bug bounties from the big software vendors. There really was no choice in the matter and, on top of that, the vendors also needed to distance themselves from the aggressive behavior of previous years. Time passes us by, until the Stuxnet worm, using four previously unknown 0-days in MS Windows, is discovered in 2010, as a means to sabotage the Iranian nuclear program.
Stuxnet is the first case that we know of where nation states have attacked another using cyber as the weapon of choice, elevating cyber to something of geo-political importance around the world. Cyber becoming a battle space along side air, sea, and land, has democratized cyber war, since a country no longer has to compete on the number of soldiers, ships or tanks, to compete on the global arena. You just have to train/educate some people in cyber to be able to compete at the same level as the global powers and this increase in competition in cyberspace is what has increased the value of the right 0-days to the current levels.
Why are the vulnerability researchers selling their 0-day findings on the gray market, instead of claiming bug bounties from the software vendors themselves? Because that is where the money is. The right 0-day on the right platform, like an iPhone or MS Windows, can sell for millions of dollars to nation states or companies like the Israeli NSO group, Italian Hacking team, or the French Vupen.
In the cases of NSO Group and Hackingteam, their stated business model, is to sell tools to law enforcement in friendly countries, for their investigative purposes, but in both cases these tools have found their way into repressive regimes and used against journalists and dissidents to keep an eye on them and in some cases to incarcerate them. This brings me to the ethical point of this opinion piece.
I have heard several times from vulnerability researchers that they are not responsible for how the 0-days they are selling are used in the real world. They are selling to companies or nation states shifting the ethical use of them to said entities. WRONG! You chose to sell a 0-day to a vendor or nation state, instead of reporting it to the software vendor in question because of the financial gain you saw in doing so. Understandable, yes, we all would like to make more money, but in this case, not disclosing the vulnerability to a vendor for patching, exposes all of us to the vulnerability that is out there, but unknown to the software companies.
I fully understand the temptation behind being offered a seven-figure sum for a 0-day vulnerability in the latest version of Apple iOS, I really do, but by not disclosing it to Apple, you are, as I see it, making the millions of Apple users out there less secure and trying to shift the ethics to the organization/company you sold it to. In my humble view, this is naïve. We see time and time again, that ethics takes a backseat in favor of profit, as we have seen for NSO group and Hackingteam.
Please disclose your findings to the software vendor in question and accept the smaller bug bounty instead of the seven-figure sums that have been paid on the gray market. Naïve on my part, I know, but please think about it at least.
Tom Madsen has been active in the cybersecurity industry for more than 20 years. Tom graduated from the University of Aalborg and covered several technical roles in security during his professional career. He is certified as CISSP, CISA, CISM, CGEIT, CRISK, CCSP, CDSPE and CSSLP, and has published the book "The Art of War for Cybersecurity". He is currently writing a book 'Security Architecture - How & Why'.