Categories: SecurityWorkspace

Post-PWN2OWN: Are Exploit Sellers Playing Nicer?

At last year’s PWN2OWN contest, exploit seller VUPEN caused a stir. Despite having won thousands by revealing a flaw in Google’s Chrome browser, it would not reveal the details of the vulnerability to the tech giant. The French firm’s CEO said it wouldn’t have even handed information to Google if $1m was on the table.

Yet at this year’s PWN2OWN, after uncovering a host of vulnerabilities in major pieces of software, VUPEN handed over all details to the relevant vendors, including Adobe, Microsoft, Mozilla and Oracle.

Exploit sellers in general have been labelled as merchants of death in the past, providing nation states with the tools to spy on people, as well as giving protection to a select few (i.e. their customers) rather than all Internet users. That’s because their customers pay them hundreds of thousands, whereas vendors pay comparative peanuts. But has VUPEN signalled a change in tack? Is it getting nicer?

PWN2OWN makes exploit seller smile

To some extent, yes. Even though it won’t admit it.

In an email conversation, VUPEN CEO Chaouki Bekrar tells me the main reason the firm decided to share this time at PWN2OWN was the amount of money on the table. Tellingly, the amount Bekrar’s team won did not amount to more than $1m. In fact, its overall winnings were less than half of that. Just a year ago, they would have scoffed at the idea of handing over information for such paltry sums – now they’re more than happy to do so.

This openness has had an immediate impact. Mozilla moved quickly to patch, whilst the other vendors are actively working on fixes. As PWN2OWN findings are not publicly released, vendors are given breathing room to work on effective patches.

Even more positively, researchers had to work for months on breaking the software, whilst patching has so far been quick to arrive. And Chrome OS came out unscathed, leaving over £2 million of prize money untouched. Could it be that software is getting more secure?

And instead of the pugnacity of 2012, VUPEN is verging on amicable. Bekrar is, ostensibly, happy to work with vendors. He believes that more money will lead to greater sharing from vulnerability researchers, creating a more secure Internet.

“We tried without success during years to entice major vendors such as Microsoft to decently reward researchers for their hard work,” he tells me.

“Maybe vendors such as Microsoft and Adobe should not pay for vulnerabilities (or proof-of-concept codes) if it’s against their internal policies or ideology.

“They should, however, consider paying high rewards for fully functional exploits or for new techniques, this would help them learn from researchers and make their products much more secure. If they need our feedback and assistance on such a project, we will be glad to contribute.”

The message from this section of the vulnerability research community is clear though: if vendors paid more money, more users would be protected. Given security is a major selling point now, and how much cash tech giants are sitting on, it would come as no surprise if more substantial prize funds appeared.

That still might not do much to improve the reputation of exploit sellers amongst left-leaning Internet activists, however. Asking for more money tends not to make one look saintly.

Are you a security expert? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago