In April this year, UAE-based Crowdfense caused a commotion among the cybersecurity community, by announcing record ‘bug bounties' of up to $3m for a single vulnerability.
The company launched with the public announcement of a $10m bug bounty program, offering the largest ever bounties for Android, iOS, Windows and Mac zero-day exploits - previously unknown vulnerabilities in software which can be used to hack the target systems.
The cybersecurity community was surprised, even offended, not just that the company was going public with such large bounties, but that it made no secret of the fact that it did not plan to disclose the vulnerabilities to the software vendors responsible, but that it will sell them to government agencies instead.
In the normal model, security researchers inform software vendors of bugs in their products, so that the vendors can fix the errors before they are found by hackers and used for malicious purposes. In return, the researchers get a discretionary cash bounty, but also agree not to publically disclose the vulnerability until a fix has been released. Crowdfense' model is to become a ‘vulnerability research hub', collecting bounties from researchers, and then passing them on to interested governments.
Andrea Zapparoli Manzoni, director of Crowdfense admits that many people are looking at the company with suspicion, and questioning its motives in offering record bounties of between $500,000 and $3 million, which in some cases is hundreds of times the bounties offered by the software vendor community.
Speaking to ITP.net, Manzoni said that the public launch was part of the company's overall strategy to professionalise the vulnerability market and to lure the best security researchers away from the current black market in security exploits - usually the richest buyers of exploits are cybercriminals or malicious state actors with ill-intent. Crowdfense instead aims to bring those exploits to trusted government agencies for legitimate means.
"Law enforcement and intelligence agencies nowadays must operate in cyberspace, as much, if not even more than they do in the physical space - they need the tools, the know-how, but this is not something they can easily procure themselves," Manzoni said.
"Governments, for legitimate reasons, need these tools. There is no way that we can pretend that this is bad or dangerous, it is [the same] as the need for personal firearms for law enforcement agents. We decided to go public, while other competitors are secretive, because it is time that people understand that these things are not necessarily bad."
Manzoni, the former head of cybersecurity for KPMG in Italy, and an author and consultant in IT security, established the company at Abu Dhabi's Masdar City free zone, with backers from the region.
The value to a surveillance agency of an exploit in a mobile phone operating system is immense he explained, because so much of our lives are now tracked by the devices, and because criminals generally don't practice very good cybersecurity. When an intelligence agency can identify the make, model and operating system of a phone or PC used by one of their targets, then the right vulnerability can open up an invaluable resource of information on the subject.
The problem lies in that at present, the market for such vulnerabilities is a very murky area, dominated by shady brokers and intermediaries. Government agencies attempting to buy vulnerabilities through such a market risk being sold exploits or hacking tools that don't do the job, or that don't work at all. The market in exploits if further complicated by the relatively short shelf-life of an exploit, before the OS or application is patched or updated making the exploit useless.
By becoming a trusted resource for vulnerabilities, Crowdfense aims to create an enterprise-like process for legitimate clients to source vulnerabilities. The process will cut out the middle men, Manzoni explained, and Crowdfense will test, analyse and authenticate the vulnerabilities, to ensure quality and consistency, and provide ongoing support, although he is keen to point out that the company will not itself develop any hacking tools.
This will also have the benefit of eliminating the need for governments to stockpile vulnerabilities, and waste resources to gain exploits that they don't need or that expire before they have chance to use them.
There is very little actual legislation to govern the exchange of software vulnerabilities, Manzoni added, and even agreements such as the Wassenaar Arrangement, which in part governs international trade in software that could be used for malicious purposes, is applied differently in different countries. This means that Crowdfense has to be self-governing, and the company aims to be clear about what it will and won't do.
Crowdfense is focused exclusively on a small group of vulnerabilities that can be used for information gathering, mainly mobile device operating systems and web browsers. Despite being offered "a crazy amount of vulnerabilities", Crowdfense will not deal in any vulnerabilities linked to SCADA, social media accounts, public cloud services, online banking, ATMs, vehicles, connected infrastructure, IoT gear, wearables, and critical national infrastructure, or anything to do with leaked documents or account details.
"We refuse to buy - we won't even discuss - vulnerabilities that are too dangerous, which can be used for creating cyber weapons, to disrupt the target systems, because we don't want to give support to that kind of activities," Manzoni said.
In term of customers, the company won't work with countries that are on any UN blacklists or have technology embargoes against them, or that have well-known violations of human rights. A large part of Manzoni's role so far has been in meeting and vetting potential researchers and customers, and building relationships with them in person. Relationships are backed up with extensive contracts, to protect all parties, and preserving the anonymity of researchers and customers is also a major focus.
The company has been proactive with researchers in order to build up the best possible pipeline of vulnerabilities, to ensure that when a customer approaches them, they have an exploit to fit the task. So far the company has paid out several large bounties, and the relationship with researchers has progressed to the point where trusted researchers can be given ‘challenges' to investigate specific areas of interest.
Manzoni is critical of technology companies that refuse to co-operate with legitimate law enforcement, comparing the refusal of some companies to provide access to devices or accounts that belong to criminal suspects as being the same as if Boeing refused to hand over the black box of a plane that had crashed.
He added that the industry needs to be more pragmatic about working with law enforcement and government: "Every serious hacking event or conference has a lock-picking sub-event - why? Because there is always tension between those who build the locks, and those who find ways to open them, whether for good reasons or bad reasons," he said.
"There is still in Silicon Valley a hippy-like, radical approach, which says that technology is only bringing good to humanity - which is not true - the world is more complicated. We need to establish ways to protect society, one [of the ways we do that] is how we give the right entities, within the constitutional boundaries and limitations, the tools to protect society. What we are doing is finding ways to open locks, which has good applications as well, not only bad applications."
Manzoni is also critical of the current state of bug bounties. Existing vendor bounty programs offer little incentive to security researchers, he believes, and are little more than a ‘pat on the back' for security professionals who are doing a job that the software vendors should have done themselves in the first place - namely taking responsibility for the defects in their products.
The software industry should concentrate on creating more secure products, instead of relying on the ethos that says researchers should disclose bugs they find to the vendor, without expectation of a reward.
"I disagree with the philosophical point of view of those who think that bug bounties should only be made by the community for full disclosure, responsible disclosure purposes. There is one thing that the Silicon Valley hippies forget, and that is the only industry in the world where vendors are not responsible for defects in their products, is the software industry.... Software vendors don't want to pay for the security of their products - so we will force them to do it.
"A researcher has to be very skilled to find a zero day in iOS, and then they sell it to Apple for $10,000, when the market value is $2 million," Manzoni said. "They [Apple] are demonstrating that they are not willing to compete with the zero day market, they don't want to establish a practice of looking for vulnerabilities. I will be convinced that responsible, full disclosure is a necessity, when they will be responsible for the defects of their products."
In the long run, Manzoni said he hopes that Crowdfense will create a more efficient and reliable market for its customers, which eliminates the illicit brokers from the market. At the same time, this will also give the best security researchers a more generous, and legitimate, return for their hard work than the current black market, and raise professional standards to further improve software security.
"If we can convince these researchers, that they can work for the common good, while being paid a lot of money and not selling the stuff to cybercriminals, that would be perfect."