Connect with us

Hi, what are you looking for?



Kevin Mitnick Launches Brokerage Service for Zero-Day Exploits

Former convicted hacker Kevin Mitnick has entered a grey area of the security industry after launching a service that facilitates selling and buying of zero-day exploits.

Former convicted hacker Kevin Mitnick has entered a grey area of the security industry after launching a service that facilitates selling and buying of zero-day exploits.

According to Mitnick Security, Absolute Zero-Day Exploit Exchange is an exclusive brokerage service through which top-paying government and corporate buyers can connect with security researchers and exploit developers. The service was silently launched six months ago, but the company only started publicly advertising it recently.

Selling exploits to government agencies is a highly controversial matter. Companies like Vupen and Exodus Intelligence have often been in the spotlight over their practices. It’s interesting that Mitnick would take on this role considering his history with the US government and the fact that he plans on launching a book that teaches people how to stay “invisible” in this age of Big Brother and big data.

However, Mitnick told Wired in an interview that he would never consider selling exploits to governments like the one in Syria or a criminal organization.

On the page dedicated to the service, Mitnick Security clarifies that Absolute Zero-Day is a closed, referral network, not an open forum. Those who want to become buyers or sellers must qualify, for which they might be charged various fees if they’re not known by the company.

“I’m not interested in helping government agencies spy on people,” Mitnick said. “I have a unique history with the government. These are the same people who locked me in solitary because they thought I could whistle nuclear launch codes.”

 The zero-day exploits brokered by Mitnick’s firm are said to be for widely distributed software, they are rated 8 or higher according to the Common Vulnerability Scoring System (CVSS), and their value is at least $100,000.

Advertisement. Scroll to continue reading.

Entities that want to acquire zero-day exploits through Absolute Zero-Day must first request access to the service. Once they pass the screening process, they request the exploits they want. Mitnick says the service is like “an Amazon wish list of exploits.”

The buyer is notified when a seller provides the requested exploit. The payment for the exploit is held in escrow until the legitimacy of the exploit is verified. As part of the company’s “Absolute X” program, buyers can request exclusive or non-exclusive use of a certain zero-day. They can also specify the minimum timeframe in which they want exclusivity for the exploit. This can be enforced by paying the seller in multiple installments, Mitnick Security explained on its website.

Buyers who want to ensure they learn first of the availability of certain zero-days can opt for a premium service called “Absolute Z” in which they pay Mitnick Security a retainer fee set at the company’s discretion.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.