Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Kevin Mitnick Launches Brokerage Service for Zero-Day Exploits

Former convicted hacker Kevin Mitnick has entered a grey area of the security industry after launching a service that facilitates selling and buying of zero-day exploits.

Former convicted hacker Kevin Mitnick has entered a grey area of the security industry after launching a service that facilitates selling and buying of zero-day exploits.

According to Mitnick Security, Absolute Zero-Day Exploit Exchange is an exclusive brokerage service through which top-paying government and corporate buyers can connect with security researchers and exploit developers. The service was silently launched six months ago, but the company only started publicly advertising it recently.

Selling exploits to government agencies is a highly controversial matter. Companies like Vupen and Exodus Intelligence have often been in the spotlight over their practices. It’s interesting that Mitnick would take on this role considering his history with the US government and the fact that he plans on launching a book that teaches people how to stay “invisible” in this age of Big Brother and big data.

However, Mitnick told Wired in an interview that he would never consider selling exploits to governments like the one in Syria or a criminal organization.

On the page dedicated to the service, Mitnick Security clarifies that Absolute Zero-Day is a closed, referral network, not an open forum. Those who want to become buyers or sellers must qualify, for which they might be charged various fees if they’re not known by the company.

“I’m not interested in helping government agencies spy on people,” Mitnick said. “I have a unique history with the government. These are the same people who locked me in solitary because they thought I could whistle nuclear launch codes.”

 The zero-day exploits brokered by Mitnick’s firm are said to be for widely distributed software, they are rated 8 or higher according to the Common Vulnerability Scoring System (CVSS), and their value is at least $100,000.

Entities that want to acquire zero-day exploits through Absolute Zero-Day must first request access to the service. Once they pass the screening process, they request the exploits they want. Mitnick says the service is like “an Amazon wish list of exploits.”

The buyer is notified when a seller provides the requested exploit. The payment for the exploit is held in escrow until the legitimacy of the exploit is verified. As part of the company’s “Absolute X” program, buyers can request exclusive or non-exclusive use of a certain zero-day. They can also specify the minimum timeframe in which they want exclusivity for the exploit. This can be enforced by paying the seller in multiple installments, Mitnick Security explained on its website.

Buyers who want to ensure they learn first of the availability of certain zero-days can opt for a premium service called “Absolute Z” in which they pay Mitnick Security a retainer fee set at the company’s discretion.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.