Last week an article on CIO.com about a new company in the cybersecurity market co-founded by Luigi caused a little bit of an uproar when it noted that ReVuln® would be selling vulnerabilities rather than reporting them to vendors or national CERTS. While this is of concern to security managers, it is hardly a new business model. What is new is that a high-profile researcher (and Luigi has always thrived on visibility) is publicly advertising that he is selling vulnerabilities to governments and other ‘responsible’ entities. That plus the fact that they are apparently selling non-exclusive notifications to a wide variety of customers.
Luigi made a name for himself through uncoordinated disclosures of vulnerabilities in a wide range of software systems. As I have noted here in a couple of instances Luigi has taken the coordinated disclosure route on occasion (via ZDI), but the vast bulk of his prolific disclosure inventory has been made as simple postings on his personal web site or via Bugtraq.
A number of commenters over the last couple of years have questioned how Luigi could hope to make a living if he continued to piss off vendors via his public disclosures. Those questions have apparently been answered.
ICS Vulnerabilities for Sale
The ReVuln homepage notes that 44% of the vulnerabilities they currently have for sale involve industrial control systems (SCADA). With the current rise in interest in cyber-warfare and cyber-weapons these vulnerabilities should find a relatively vigorous market with governments. Both offensive and defensive activities will find access to these vulnerabilities to be very valuable.
In fact, cyber-defenders are probably going to be forced to subscribe to the ReVuln services since the company is not apparently selling exclusive access to these vulnerabilities. Knowing that an adversary might have access to vulnerabilities in control systems in critical infrastructure, defenders will want to have access to the same vulnerability information to put appropriate defenses in place to prevent their utilization in a cyber-attack.
Will Vendors Buy?
The ReVuln website ‘Services’ tab notes that the Zero-day feed service is available to ‘Companies and Governments’. I’m sure that we won’t hear about it from any of the advertising departments at the major vendors that they are subscribing to this service, but I am willing to bet that there will be some ICS vendors that will think that buying zero day vulnerabilities in the market place will, in the long run, be more cost effective than allowing them to be available to governments and other vendors without knowing about them. At least they would have a chance to get the problems patched if they know about the vulnerabilities.
Actually, I’m pretty sure that vendors would do their best to ensure that they are not seen as subscribers to this service. Luigi and ReVuln are already going to be causing any number of other ‘independent security researchers’ to look at the ‘vulnerability for sale’ business model. If it becomes publicly known that any of the major vendors are subscribers, we will see even more startups in this field.
An interesting question arises because of ReVuln’s marketing of these vulnerabilities to ‘companies’. I don’t see anything that specifically identifies system vendors as being (or precludes them from being) potential customers. If they are willing, for example, to sell to ICS vendors, will Vendor A get access to 0-days for Vendor S? Ignoring the potential marketing advantage of knowing about the competitor’s vulnerabilities, it would certainly make sense that Vendor A should be interested in checking their own system for vulnerabilities similar to those found in Vendor S’s product line.
Will CERTS Buy?
The most obvious potential government agencies that could have potential interest in subscribing to this type service (outside of the military or intelligence services, of course) would be national CERTS. In the US one would like to think that the ICS-CERT would be a natural customer for this type of service. Again, a quiet customer because ICS-CERT also has a strong self-interest in maintaining the coordinated disclosure system.
The question for CERTS is will the politicians allow them (authorize the spending) to subscribe to this type of service? On the one hand the intelligence/military folks probably would not like to see this as ICS-CERT (for example) would be expected to work with the vendor to get the systems patched. That would remove that 0-day from the potential arsenal of the intel/military ops people.
On the defense side of the equation, how would the government go about defending against the 0-days for critical infrastructure installations if they didn’t notify the vendor? Perhaps we will see the rise of a defensive programing cadre within military/homeland security that would develop their own patches for sensitive systems. I can see the military mind coming up with that idea, but no control systems engineer with any sense would apply a patch that hadn’t gone through the vendor vetting process. There’s no telling what neat problems could arise.
As one would expect ReVuln takes the security of their product line very seriously. Their web site makes it clear that the vulnerability information is not available directly through their web site (they securely email the 0-days to their customers) and they do not store the vulnerability information on any of their servers. I would suspect that Luigi and company are paranoid enough to store that information on stand-alone computers in a secure and shielded room. After all, they don’t make any money if someone steals their 0-days.
One thing is pretty certain, I foresee some vendors calling for the regulation of companies like ReVuln. As much as they have opposed cybersecurity regulation that might have put restrictions or requirements on their operations someone is certainly going to call for restricting the right of folks to sell vulnerabilities. I will be very surprised if we don’t see some sort of pro forma bill introduced during the waning days of this session.
Actually this may be one of the reasons that Luigi and company chose Malta as their home base (besides the beautiful weather, picturesque countryside, and lovely blue water); the US Congress (or EU or whomever) is going to have a difficult time enforcing local laws on their Maltese operations.
Having said that, what would reasonable regulations look like? Well, you can’t shut them down and you can’t stop them from reasonable sales in the public market place; the knowledge of the vulnerabilities comes from their own research so they certainly own it. You could place some reasonable restrictions on who they can sell the information to; no known terrorists or criminal enterprises. Perhaps you could get away with requiring the offering non-exclusive sales to various CERT organizations and allowing those organizations to contact the affected vendors.
Or maybe they could just be required to offer to sell the vulnerabilities to the vendor before offering it on the open market. It would be interesting to see how you would craft rules to establish what is a reasonable price for the vendor to take or leave. Of course, that has been the problem all along as most vendors have been loath to pay some unwashed heathen (okay, they didn’t actually say that, but that has been the impression that many in the research community have been dealing with) for finding some ‘relatively minor’ problem with their control system.
In any case, ReVuln is not really anything new. We have been hearing about an underground economy in 0-day sales for a couple of years now. What Luigi and friend have done is to bring the business plan out into the open so that we can all participate (or not). We will certainly discuss it and perhaps try to regulate it. But, it is not going away.