The search for vulnerabilities under the bug bounty scheme follows rules established by software owners.Vostock-Photo
The exchange selling software vulnerabilities is launched in Russia. The website, expocod.com, is ready to pay tens of thousands dollars for vulnerabilities in popular software such as Linux, Windows, and Adobe. Vulnerabilities are interesting to IT giants that might want to fix them, but also to unscrupulous users who could exploit them for personal gain.
Andrei Shorokhov, a former employee at the Russian state agency, Rosfinmonitoring, is the brains behind the exchange, reports the newspaper, Kommersant. Shorokhov said the project involves a group of software developers, as well as former hackers “who switched to ‘the side of light.’’
The company’s core activity is buying and reselling exploits, which are pieces of software that take advantage of vulnerabilities to attack a computer system and take it over or disrupt its work. Shorokhov said the exchange intends to resell exploits to information security companies and government agencies that want to improve software.
“We reserve the right to choose what to sell and to whom,’’ Shorokhov told Kommersant. ``It's a matter of ethics and reputation. Of course, we won’t sell exploits to fighters in Somalia, or to North Korea and similar regimes. As for all the others, why not.”
Shorokhov believes there is nothing illegal in reselling exploits. Experts point out, however, that things are not so simple. Marina Nikerova, deputy managing director at the Internet Technical Center, said there is nothing illegal in selling information about vulnerabilities. There are already a few similar platforms around the world.
“IT companies very often set awards for researchers who find weaknesses in their products,’’ Nikerova said. ``In that case, such a platform becomes just a structure to streamline this process and allows a large number of companies to work with many researchers at the same time.’’
On the other hand, the operation of these exchanges is not limited to bug bounty programs of the type described by Nikerova. Vladimir Ulyanov, head of research at the information security company Zecuricon, told RBTH that projects like Expocod are aimed at detecting vulnerabilities without notifying the software owner, which “one way or another constitutes hacking into computer or information systems.’’
The search for vulnerabilities under the bug bounty scheme follows rules established by software owners. They decide what can be hacked and what cannot, Ulyanov said. Expocod does not set such rules. “That is why operations like these are largely unlawful,” Ulyanov said, adding that even those hackers who have switched to “the side of light” in many respects remain in a gray area while working for such platforms.
Furthermore, despite assurances from the project founder, the question of who these vulnerabilities will be sold to remains unclear. Will the list be limited to information security companies and software developers, or will it also include individuals who could use them for unseemly purposes.
It is hard for law-enforcement agencies to say whether such a platform violates the law. Exchanges only provide intermediary services, while the nature of data that is resold is often obscure. At the same time, the secret services are interested in the information that these platforms possess. That is why cooperation with the secret services could be crucial to the project’s smooth operation.
Speaking about the prospects of the Russian platform, experts point to the successful experience of a number of foreign equivalents. Platforms like Zeronomicon or Zerodium resell serious vulnerabilities worth hundreds of thousands dollars. Having said that, experts are not convinced that a Russian project in this area will be successful. First, all interested parties in Russia can easily use foreign exchanges. Second, the Russian platform has yet to win the trust of those who will use its services.
All rights reserved by Rossiyskaya Gazeta.