Vulnerability Acquisition Companies are Stockpiling 0-days and Selling Them to Governments Rather Than Allowing Them to be Patched
However we got here, this is indeed the state of the world: A place where shady organizations lure security researchers with huge sums of money and then turn around and sell their discovered vulnerabilities to government customers to use against their citizenry. According to the Zerodium website, their customers are “mainly government organizations…as well as major corporations from defense, technology, and financial sectors”. Zerodium prides themselves on their high payouts, stating on their website, “We pay BIG bounties, not bug bounties”. This model differs greatly from conventional bug bounty programs like HackerOne or Bugcrowd, which report submitted vulnerabilities directly to the developers so they can be patched immediately. Conventional programs also typically pay far less to the security researcher submitting a vulnerability.
— Zerodium (@Zerodium) September 13, 2017
Of course, it’s possible that some government spy agencies discovered the Tor Browser vulnerability on their own and knew of it before Zerodium began secretly peddling it. Giorgio Maone, the developer of the NoScript extension bundled with Tor Browser, told ZDNet that the bug was introduced in NoScript 5.0.4, which was released on May 11, 2017. If spy agencies or anyone else found this bug before Zerodium acquired it, users may have been risk starting at that time.
Legitimate bug bounty programs are supposed to operate in such a way that when vulnerabilities are discovered by security researchers, they are reported to the developers and patched as quickly as possible. But with the likes of Zerodium on the scene, security researchers are being seduced by big money to sell their exploits to vulnerability acquisition companies for their elite customer base. The security bugs purchased by such organizations are often intentionally not submitted to the appropriate developers, in an effort to keep them from being patched. With the vulnerabilities not patched, government customers can secretly acquire and use exploits against their targets as they see fit.
Zerodium is not the only vulnerability acquisition company catering to government. It is widely known that major defense contractors like Northrop Grumman, General Dynamics and Raytheon also sell exploits to government entities. There are likely others. With such powerful corporations covertly selling 0-day exploits, privacy is an uphill battle for those living under oppressive regimes.
Vulnerability acquisition companies and government entities typically justify their behavior by citing use cases that involve scenarios like terrorism threats, or sexual exploitation of children. This tends to sway public opinion in their favor. An increasing number of people, however, are becoming concerned with the cost of giving government such power.