Vulnerability Acquisition Companies are Stockpiling 0-days and Selling Them to Governments Rather Than Allowing Them to be Patched

Posted on Sep 21, 2018 by James Gallagher
0day exploits

Last week, a so-called vulnerability acquisition company by the name of Zerodium disclosed a Tor Browser 0-day vulnerability to the public, in an apparent PR stunt. As you may know, 0-days are security bugs which have been discovered but not yet revealed to the developers responsible for patching. The 0-day disclosed by Zerodium was for an old version (7.x) of the Tor Browser and is useless against the latest version. Zerodium described their exploit as bypassing the Tor / NoScript “Safest” security level, which is designed to block all JavaScript. The exploit would need to be coupled with malicious JavaScript that uncloaks a user’s identity, in order to be effective. In a statement to ZDNet last week, Zerodium’s CEO Chaouki Bekrar stated, “This Tor Browser exploit was acquired by Zerodium many months ago as a zero-day and was shared with our government customers.” This is of course a disturbing revelation for those who rely on the Tor Browser to provide privacy against oppressive regimes, due to the fact that for quite some time they were at risk.

However we got here, this is indeed the state of the world: A place where shady organizations lure security researchers with huge sums of money and then turn around and sell their discovered vulnerabilities to government customers to use against their citizenry. According to the Zerodium website, their customers are “mainly government organizations…as well as major corporations from defense, technology, and financial sectors”. Zerodium prides themselves on their high payouts, stating on their website, “We pay BIG bounties, not bug bounties”. This model differs greatly from conventional bug bounty programs like HackerOne or Bugcrowd, which report submitted vulnerabilities directly to the developers so they can be patched immediately. Conventional programs also typically pay far less to the security researcher submitting a vulnerability.

How long then were Tor Browser users unnecessarily placed at risk? The puzzle pieces are not difficult to put together. On September 13, 2017, Zerodium’s website announced a limited-time bounty: Between September 13, 2017 and November 30, 2017, they would pay out a total of $1,000,000 for Tor Browser vulnerabilities. Yes, you read that right. One million dollars. To put this in perspective, on the Tor Project HackerOne page, the developers of Tor Browser offer up to $4,000 for high severity vulnerabilities, and have only paid out a total of $7,100 since their bug bounty program launch on July 20th, 2017. They simply can’t compete with the financial capabilities of governments. Zerodium’s announcement also specified that a higher payout would be rewarded for a fully functional exploit bypassing the Tor / NoScript “Safest” security level which blocks JavaScript. This is exactly what happened. A security researcher found such a vulnerability, developed an exploit and sold it to Zerodium. Although Zerodium did not reveal at that time the results of their Tor Browser vulnerability payouts, Bekrar indicated to ZDNet last week that during and after the limited-time bounty offer, they acquired many Tor exploits which met their requirements. This means that government entities had this Tor Browser exploit available to them sometime after the start of the limited-time bounty on September 13, 2017. Tor Browser 8.0, which Bekrar stated is not affected by the vulnerability, was released on September 5, 2018 – just 5 days before Zerodium released the Tor Browser 0-day to the public on September 10, 2018. This means that for possibly almost a year, Tor Browser users attempting to protect themselves from oppressive regimes were unnecessarily placed at risk. If the security researcher who sold the Tor Browser exploit to Zerodium had instead submitted it to the Tor Browser developers, they would have likely received a far smaller financial reward, but would have done a good deed for the world.

Of course, it’s possible that some government spy agencies discovered the Tor Browser vulnerability on their own and knew of it before Zerodium began secretly peddling it. Giorgio Maone, the developer of the NoScript extension bundled with Tor Browser, told ZDNet that the bug was introduced in NoScript 5.0.4, which was released on May 11, 2017. If spy agencies or anyone else found this bug before Zerodium acquired it, users may have been risk starting at that time.

Legitimate bug bounty programs are supposed to operate in such a way that when vulnerabilities are discovered by security researchers, they are reported to the developers and patched as quickly as possible. But with the likes of Zerodium on the scene, security researchers are being seduced by big money to sell their exploits to vulnerability acquisition companies for their elite customer base. The security bugs purchased by such organizations are often intentionally not submitted to the appropriate developers, in an effort to keep them from being patched. With the vulnerabilities not patched, government customers can secretly acquire and use exploits against their targets as they see fit.

Zerodium is not the only vulnerability acquisition company catering to government. It is widely known that major defense contractors like Northrop Grumman, General Dynamics and Raytheon also sell exploits to government entities. There are likely others. With such powerful corporations covertly selling 0-day exploits, privacy is an uphill battle for those living under oppressive regimes.

Vulnerability acquisition companies and government entities typically justify their behavior by citing use cases that involve scenarios like terrorism threats, or sexual exploitation of children. This tends to sway public opinion in their favor. An increasing number of people, however, are becoming concerned with the cost of giving government such power.


VPN Service