Platforms like Zeronomicon or Zerodium resell serious vulnerabilities worth hundreds of thousands dollars.Vostock-Photo
An ‘exchange’ selling software vulnerabilities has been launched in Russia. The website, expocod.com, is willing to pay tens of thousands of dollars for vulnerabilities in popular software like Linux, Windows, and Adobe. These flaws/vulnerabilities are interesting to IT giants who may want to rectify them and increase cyber security. However, unscrupulous users and criminals could exploit these and cause major disruptions for personal gain.
Andrei Shorokhov, former employee at the Russian state agency, Rosfinmonitoring, is the brains behind the exchange, reports the newspaper, Kommersant. Shorokhov said the project involves a group of software developers, as well as former hackers “who switched to ‘the side of light.’”
The company’s core activity is buying and reselling ‘exploits’, which are pieces of software that take advantage of vulnerabilities to attack a computer system and take it over or disrupt its work. Shorokhov said the exchange intends to resell ‘exploits’ to information security companies and government agencies that want to improve software.
“We reserve the right to choose what to sell and to whom,’’ Shorokhov told Kommersant. “It's a matter of ethics and reputation. Of course, we won’t sell exploits to fighters in Somalia, or to North Korea and similar regimes. As for all the others, why not?.”
Shorokhov believes there is nothing illegal in reselling exploits. Experts point out, however, that things are not so simple.
Marina Nikerova, deputy managing director at the Internet Technical Centre, said there is nothing illegal in selling information about vulnerabilities. There are already a few similar platforms around the world.
“IT companies very often set prizes for researchers who find weaknesses in their products,” Nikerova said. “In that case, such a platform becomes just a structure to streamline this process and allows a large number of companies to work with many researchers at the same time.”
The operation of these exchanges is not limited to ‘bug bounty’ programmes of the type described by Nikerova. Vladimir Ulyanov, head of research at the information security company Zecuricon, told RIR that projects like Expocod are aimed at detecting vulnerabilities without notifying the software owner which, “in one way or another, constitutes hacking into computer or information systems.’’
The search for vulnerabilities under the ‘bug bounty’ scheme follows rules established by software owners. They decide what can be hacked and what cannot, Ulyanov said. Expocod does not set such rules.
“That is why operations like these are largely unlawful,” Ulyanov said, adding that even hackers who have switched to “the side of light” remain, in many respects, in a gray area while working for such platforms.
Furthermore, despite assurances from the project founder, the question of whom these vulnerabilities will be sold to remains unclear. Will the list be limited to information security companies and software developers, or will it also include individuals who could use them for unlawful purposes?
It is hard for law-enforcement agencies to say whether such a platform violates the law. Exchanges only provide intermediary services, while the nature of data that is resold is often obscure. At the same time, the secret services are interested in the information that these platforms possess. That is why cooperation with the secret services could be crucial to the project’s smooth operation.
Speaking about the prospects of the Russian platform, analysts point to the successful experience of a number of foreign equivalents.
Platforms like Zeronomicon or Zerodium resell serious vulnerabilities worth hundreds of thousands dollars. However, experts are not convinced that a Russian project in this area will be successful. First, all interested parties in Russia can easily use foreign exchanges. Second, the Russian platform has yet to win the trust of those who will use its services.
All rights reserved by Rossiyskaya Gazeta.