Former convicted hacker Kevin Mitnick has entered a grey area of the security industry after launching a service that facilitates selling and buying of zero-day exploits.
According to Mitnick Security, Absolute Zero-Day Exploit Exchange is an exclusive brokerage service through which top-paying government and corporate buyers can connect with security researchers and exploit developers. The service was silently launched six months ago, but the company only started publicly advertising it recently.
Selling exploits to government agencies is a highly controversial matter. Companies like Vupen and Exodus Intelligence have often been in the spotlight over their practices. It’s interesting that Mitnick would take on this role considering his history with the US government and the fact that he plans on launching a book that teaches people how to stay “invisible” in this age of Big Brother and big data.
However, Mitnick told Wired in an interview that he would never consider selling exploits to governments like the one in Syria or a criminal organization.
On the page dedicated to the service, Mitnick Security clarifies that Absolute Zero-Day is a closed, referral network, not an open forum. Those who want to become buyers or sellers must qualify, for which they might be charged various fees if they’re not known by the company.
“I’m not interested in helping government agencies spy on people,” Mitnick said. “I have a unique history with the government. These are the same people who locked me in solitary because they thought I could whistle nuclear launch codes.”
The zero-day exploits brokered by Mitnick’s firm are said to be for widely distributed software, they are rated 8 or higher according to the Common Vulnerability Scoring System (CVSS), and their value is at least $100,000.
Entities that want to acquire zero-day exploits through Absolute Zero-Day must first request access to the service. Once they pass the screening process, they request the exploits they want. Mitnick says the service is like “an Amazon wish list of exploits.”
The buyer is notified when a seller provides the requested exploit. The payment for the exploit is held in escrow until the legitimacy of the exploit is verified. As part of the company’s “Absolute X” program, buyers can request exclusive or non-exclusive use of a certain zero-day. They can also specify the minimum timeframe in which they want exclusivity for the exploit. This can be enforced by paying the seller in multiple installments, Mitnick Security explained on its website.
Buyers who want to ensure they learn first of the availability of certain zero-days can opt for a premium service called “Absolute Z” in which they pay Mitnick Security a retainer fee set at the company’s discretion.