Government agencies that want to snoop around pay 5 times Google's bounty, at least

Mar 21, 2012 14:33 GMT  ·  By

Many have been wondering why the security experts from French company Vupen refused to enter the Google-funded Pwnium competition and only enrolled in TippingPoint’s Pwn2Own event. The short answer is because Google would have wanted the complete description of the vulnerabilities in return for the bounty.

According to Forbes, Vupen didn’t want to enroll in Pwnium because the sums offered by Google were small change in comparison to what they can make if they sell their findings to government agencies, which are constantly in search for new ways of spying on people.

“We wouldn’t share this with Google for even $1 million. We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers,” said Chaouki Bekrar, Vupen’s CEO.

While he refuses to talk about exact figures, experts believe that zero-day exploits that allow seamless access to computers can worth 10 or even 100 times more than what a software firm would normally pay.

Frost & Sullivan analysts revealed that Vupen charges around $100,000 (75,000 EUR) for a one year subscription from customers who want to use their techniques. Moreover, they don’t sell exclusive rights to anyone, instead they give the same exploitation methods to a number of government agencies.

Bekrar states that their products are only sold to NATO governments and NATO partners, and that non-democratic agencies never make their client lists.

He admits that there is no precise way to ensure that the “bad guys” don’t get their hands on the exploits, but privacy activist Chris Soghoian takes it up a notch and calls Bekrar a “modern-day merchant of death.”

“Vupen doesn’t know how their exploits are used, and they probably don’t want to know. As long as the check clears,” Soghoian said.

Of course, Vupen is not the only company that practices the commercialization of zero-day security holes that can be leveraged for spy games, but so far, it has been the more vocal one of the bunch.

Bekrar claims that he has nothing to hide because his business is completely transparent, but at the same time he refuses to give too many details regarding his personal life.

On the other hand, there seems to be some personal battle between him and Google, because this is not the first time when he teases the company with Chrome vulnerabilities.

In May 2011, the French firm made available a video that proved how a system could be hacked because of a Chrome flaw, but refused to give any details to Google.

Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile.