Dubai startup seeking unpatched flaws to sell them to govts

Apr 26, 2018 09:59 GMT  ·  By

Hackers who are aware of zero-day flaws in Windows, iPhone, Android, or Mac can make up to $3 million by sharing the exploit with a Dubai startup called Crowdfense, who agrees to pay millions of dollars for unpatched vulnerabilities only to resell them after that.

Crowdfense says what it wants to do is purchase zero-days from hackers and then hand them over to government and intelligence agencies who are trying to break into devices or software that might hide valuable data in criminal or terrorist investigations.

“When I think about government agencies I don’t think about the military part, I think about the civilian part, that works against crime, terrorism, and stuff like that,” Crowdfense’s director Andrea Zapparoli Manzoni was quoted as saying by Motherboard.

“We only focus on tools aimed at doing activities of law enforcement or intelligence, not aimed at destroying or deteriorating the functionality and effectiveness of the target systems—but only aimed at collecting intelligence.”

$10 million budget

The company hasn’t disclosed the name of the governments that it’s working with, and says that the name of whoever sells their exploits would never be revealed. Crowdfense has a budget of $10 million to purchase zero-days in the said platforms, and promises full transparency, even though a series of details like the ones mentioned above, haven’t been disclosed.

The United States government has repeatedly asked for support from tech companies over attempts to break into devices used by criminals or terrorists, and one particular case involves the iPhone owned by one of the San Bernardino shooters. Apple refused to help the FBI unlock the device and the bureau eventually hired a third-party company to extract data from the device, allegedly paying $1 million.

More recently, a device called GrayKey, which has the capabilities to bypass the password of any iPhone running even the latest version of iOS, is purchased en-masse by US law enforcement. The device uses a zero-day flaw in iOS that Apple is yet to discover.