Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Silly Kiddie, Exploits Are For Free

While Bugs May No Longer Be Free, Exploits Really Want To Be

While Bugs May No Longer Be Free, Exploits Really Want To Be

Earlier this month I stumbled across a quote that caught my attention not because it was insightful but because I felt it was so inaccurate that I read the rest of the article out of pure curiosity to see what other claims would be made. The quote came from Rick Moy, the president of NSS Labs, who claimed that, “a penetration tester is only as good as the exploits he has to work with.”

Mr. Moy cheapened the skill of penetration testing to a bag of tricks, which is how the industry describes script kiddies. But after this initial surprise, I realized that the claim appeared to be an attempt to promote NSS Labs’ upcoming exploit marketplace: Exploit Hub. The message implied that “you’re only worth as much as the exploits that we’re going to be selling.” And Doctor, you’re only as qualified as the stethoscope that you’re planning on using.Exploits, Vulnerabilities

So putting aside Mr. Moy’s claim, I curiously read onwards to find out more about the Exploit Hub (EH). Certainly, it seems like a promising idea – to create a place for security researchers and penetration testers to exchange exploits for money – a capitalist, free market for the security community. But in practice I suspect that successfully establishing an exploit marketplace will be challenging for many reasons beyond EH’s control.

Once Bread Becomes Toast, It Can Never Be Bread Again

One difficulty with an exploit marketplace is that the product is software – generally an exploit is a small piece of code designed to take advantage of another piece of code. If we presuppose that an exploit is fundamentally no different than any other program then it follows that we gain the same advantages (e.g. minimal cost to scale and distribute) and disadvantages (i.e. piracy and IP theft) of traditional software.

How do you prevent piracy? This will be perhaps the hardest challenge facing EH since the value of the exploit comes primarily from knowledge of how to trigger and exploit the vulnerability successfully. Once purchased, there will be little to deter an exploit buyer from freely redistributing the code. Moreover, with the exploit in hand, it will also be a simple exercise to extract the intellectual value – the details of the attack (e.g. offset, payload, and trigger). Nothing can prevent someone from rewriting the exploit for broader distribution on free exploit repositories, within existing exploit frameworks, or on public mailing lists.

EH won’t be able to prevent piracy, particularly when it’s occurring underground and perpetrated by intelligent hackers. Alas, on the Internet when something becomes known, you can’t make it unknown.

Uncertain Sellers and Limited Buyers

The lack of deterrence against piracy will undoubtedly dissuade some security researchers from submitting exploits. Yet another factor weighing against the contribution of exploits is the restricted market for exploit writers’ goods.

The target market for exploits will be limited by EH’s buyer qualification process, which purportedly ensures that only the “right” people and organizations are allowed to purchase the exploits. While this approach establishes (somewhat ambiguously) defensible ethical positions and applies a patina of exclusivity, it limits the number of potential buyers for exploit writers. This in turn decreases the potential market value for their goods, and ultimately discourages contribution from researchers desiring remuneration for their efforts.

The test here will be to find enough buyers to make it worthwhile for researchers while simultaneously competing against traditional markets – exploit repositories, exploit frameworks, and mailing lists.

Free is Tough Competition

Existing markets create a high barrier to entry for an exploit marketplace that doesn’t really provide any distinct advantage. The security community has had a long history of contributing to free online repositories and mailing lists including such classics as bugtraq, PacketStorm,, and milw0rm. The more recent inj3ct0r repository claims over fourteen thousand exploits, and the Exploit Database by Offensive Security, with over twelve thousand exploits of which many are verified, is hard to beat.

Stiff competition will also come from the Metasploit Framework , which offers extremely reliable, up-to-date exploits for more than 440 vulnerabilities, at a sum total cost of zero. A commercial version called Metasploit Express is also available that provides additional features for penetration testers at a cost of USD$3,000 (at the time of writing), which averages to approximately USD$6.80 per vulnerability. Immunity’s CANVAS also provides a suite of over 370 reliable exploits with exploits being added for the latest vulnerabilities on a monthly basis. While the cost for Metasploit Express and CANVAS is not zero, it is still well within the range of all but the smallest professional penetration testing organizations. Both tools make it difficult to justify paying for individual exploits, especially when the latest and greatest vulnerabilities are constantly being developed and released for free (i.e. Metasploit Framework) and affordable (i.e. Metasploit Express and CANVAS) exploitation frameworks.

And So…

The intractable problem of piracy, a limited set of buyers, and compelling alternatives will make the Exploit Hub a difficult endeavor. One may note that both Metasploit and CANVAS provide the full source code to the exploits, as they know full well that keeping them a secret is a losing proposition. What the open market is willing to pay for comes in the form of support, additional features, and reliable exploits. While EH may be able to claim reliability, it will be challenged to offer additional features or support at a credible price point. Looking forward, one area Exploit Hub and other exploit marketplaces should focus is on creating a community where professional penetration testers can match up with exploit writers; one-off, custom exploit development is an underserved market with limited competition – for now.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...