Upcoming Virtual Event: Cloud Security Summit | July 17 - Register Now
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Kevin Mitnick Launches Brokerage Service for Zero-Day Exploits

Former convicted hacker Kevin Mitnick has entered a grey area of the security industry after launching a service that facilitates selling and buying of zero-day exploits.

Former convicted hacker Kevin Mitnick has entered a grey area of the security industry after launching a service that facilitates selling and buying of zero-day exploits.

According to Mitnick Security, Absolute Zero-Day Exploit Exchange is an exclusive brokerage service through which top-paying government and corporate buyers can connect with security researchers and exploit developers. The service was silently launched six months ago, but the company only started publicly advertising it recently.

Selling exploits to government agencies is a highly controversial matter. Companies like Vupen and Exodus Intelligence have often been in the spotlight over their practices. It’s interesting that Mitnick would take on this role considering his history with the US government and the fact that he plans on launching a book that teaches people how to stay “invisible” in this age of Big Brother and big data.

However, Mitnick told Wired in an interview that he would never consider selling exploits to governments like the one in Syria or a criminal organization.

On the page dedicated to the service, Mitnick Security clarifies that Absolute Zero-Day is a closed, referral network, not an open forum. Those who want to become buyers or sellers must qualify, for which they might be charged various fees if they’re not known by the company.

“I’m not interested in helping government agencies spy on people,” Mitnick said. “I have a unique history with the government. These are the same people who locked me in solitary because they thought I could whistle nuclear launch codes.”

 The zero-day exploits brokered by Mitnick’s firm are said to be for widely distributed software, they are rated 8 or higher according to the Common Vulnerability Scoring System (CVSS), and their value is at least $100,000.

Entities that want to acquire zero-day exploits through Absolute Zero-Day must first request access to the service. Once they pass the screening process, they request the exploits they want. Mitnick says the service is like “an Amazon wish list of exploits.”

Advertisement. Scroll to continue reading.

The buyer is notified when a seller provides the requested exploit. The payment for the exploit is held in escrow until the legitimacy of the exploit is verified. As part of the company’s “Absolute X” program, buyers can request exclusive or non-exclusive use of a certain zero-day. They can also specify the minimum timeframe in which they want exclusivity for the exploit. This can be enforced by paying the seller in multiple installments, Mitnick Security explained on its website.

Buyers who want to ensure they learn first of the availability of certain zero-days can opt for a premium service called “Absolute Z” in which they pay Mitnick Security a retainer fee set at the company’s discretion.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Craig Boundy has left Experian to join McAfee as President and CEO.

Forcepoint has promoted Ryan Windham from Chief Customer and Strategy Officer to Chief Executive Officer.

ICS and OT cybersecurity solutions provider TXOne Networks appointed Stephen Driggers as its new CRO.

More People On The Move

Expert Insights