Zero Day Broker SSD Sells Early Access To Cybersecurity Vulnerabilities
While the norm for cybersecurity disclosure is to share vulnerabilities only with the vendor until the vendor fixes them, zero-day broker SSD has built a business selling early access to vulnerabilities across a broad range of applications from OSes, to web browsers, mobile and IoT devices.
SSD told IPVM they follow responsible disclosure and vet who they sell this early access to.
This atypical model, generally offering far greater payments, challenges vendor bug bounty programs and many vendors' expectations that researchers will simply inform them at no charge.
However, this also raises concerns about which buyers are obtaining early access and what they will do with that.
SSD **********
*** ****** ************** ******** *********** ** ******* *************** for "* **** ***** ** ******** and ********". *** ************ ** ******************** *****, *****, *** ***** (*** SSD ****) *** ***** ** ****** conference ** *********** **********.
** **** ****,**** *********** ******** ** ** $**,*** *** Uniview ***************, ** ******** ******' *** ****** *********** ******** ** ** $*,*** ******* (which **** ***** ******* ** $*,***.)
SSD: ********* *** *** "***** *****-**"
***** ********* ********************** *** **** *** *******, *** both ***** **** **** **** *** not ******* **** ***, ******* *** question ** *** **** *** ** not *** *******.
*** **** **** ** ** **** by * *********** ** ******* *** customers *** "**** ** ***** *****-** on ******** *************** ** *** ******* they *** *****":
*** ***** **** ******** *********** *** enjoy ******* *** ******** *************** *** like *** ****** ** ******* **** for ***** **** *** ******. *** vulnerabilities *** ********* ** *** ****** for ****** *** *** ********** ******** is *********** **** *** ******.
******* ***** **** *** ******* ** the **** ** ****** *** *************** found *** ****customers ** ***** ******* *** **** ** ***** *****-** ** ******** *************** ** *** ******* **** *** *****.
** ***'* ******* ** *** **** with ******** ******* ** *********, *** we **** **** *** ******* ** other ********** ********' ******** ** *******. We *** ***** ** *** ************ to *** ******** ******** ***** **** the **** ******* ******* *** ** believe **** *** ****** ** *** ecosystem ** * **** ***** *** everyone. ** ********, **'* **** ** see **** ****** ********, **** ********** companies, *** **** **** ******** ******** being ****. **'** ***** **** ****** are ******** ** *** ***** *********.
** ** ******* **** ** *** short **** ****** *********** ******** ******** vulnerabilities ** ********** ** *** ****** manufacturer, *** ** *** **** **** it ***** *** ******* **** ******, and ** ********* *** *** ******** more ******. **'* * **** *** gain *** *** ******* *******.
*** ***** ** ******** ******* ***********, vendors *** ********* ** ******* ****** our ******* *****. [******** *****]
**** ******* **** *** ********* **** ** *** ********* *** to **** *************** ** *** ******** they *** (*****, ** **** ****) as *** ***** ***** ********* *** be ******** "******* ********** ***** ** is ***** ***********".
SSD **** ************* ***** "******* *** ******"
**** ***** *** ***** ** ** permits *** ********* ** *** **** "early *****-**" *** *******/********* ********.
*** *** *** ******** *******, ******* stating *** *** ********* ** ******* due ********* *** ***** ***** ** "ethical *** ******":
** *********,all *** ********* ** ******* *** ********* and we verify that their usage of the information is ethical *** ******. There are no exceptions. Also, as mentioned, all *************** *** ******** ** *** ******, and there are no exceptions here either. [emphasis added]
***** *************** *** ******* ******** *** been ********* ** ***** ** ** "ethical *** ******" ******, *.*., ****** ******* **************** ******* *** **** **** ** "ethical *** ******" ** *******.
SSD "******** *** ********** *********** **********"
*** **** **** ** "******** *** encourages *********** **********":
*** **********supports *** ********** *********** **********. The founders of SSD Disclosure were the founders of a security portal called SecuriTeam.com, back in 1998, which was one of the first full-disclosure web sites. We've defended researchers against SLAPP lawsuits and helped researchers conduct security research without fearing retaliation.
** **** *** ** ***** ****** researchers, **** ** ******, ** *** matters ******** ** *********** **********. *** is * ****** ********* ** **** effort - *** *********** *** **** to *** **** *** ********. *** two *** *** ******** *********. [******** added]
*** **** **** ** *** **** "Disclosing *************** *********** ***** ****" ***** ******** ****.
Responsible ********** ** **** ******* *** ****
*******, *** ******** ******* **** ** responsibly ********** **** ** ******* *.*. not **-******* ** ******. *** *******, the**** *** **********- ************** *** ****** ** ***** *********** - ****************"** ** *** ****** ** ************ the *************** **** *** ******** ******* the ***."
****** ** ***'* ***** **********, ***** **-***** *************** ** *** customers***** ********* *********, "** **** ****** **** ********* and ** ****** *** ********* **** carefully ******* * **** ****** *** diligence *** ******* *******."
*******, ******** **** *** ******** *** it ******** *********** ********** *** ******* vulnerabilities ** *******, ** *** ****. SSD ************* **********/************* *** ********, ****** ********.
*** **** ****, "** ***'* ******* on *** **** **** ******** ******* or *********, *** ** **** **** not ******* ** ***** ********** ********' policies ** *******."
SSD **-***** **** **** ********
**** ********* "******** *** *** ****** ********** program" *********'* ******** ******* ******;******* ** ************ **-***** ** *** ** ******'* corporate ********.
******* ** * ****** ****** ** the ******* ******** ************'* ***** ********, Unit ****, ********* ** ***** *********** *** ******* ********* *******. **** 8200 ** ******* ********** ** *** NSA ** *** ** *** "*********** in ************* ******* *** ********* **********,"*********** ********.
Risks ********
** ** ******** **** ***'* ********* only **** ** "***** *****-**" ** protect *** ******* **** *** *****. However, *** *** *** ******** **** out ***** *************** ***** **** ***********, either.
***** ************* ***** *** ********** *** bug ******** (** **** ** ***), e.g.,**** ******** ** ** $*,*** *** bounty,****** *********** ********* ** *********** - who *** ***** ******** ** ***** finding * ****** ******* - ** sell ** *** ** ******.
******* (*** ***** *** *****) ****** in***'* '*****'****** **** ** ***** **** *** may ** ******* ***** ****** ** their ***************, ****** **** ****** *** caution.
***** **** "******* *** ******" *** being ******** ** "**********."
* ***** ***** ** * **** in *** ***** "******* *** ********". Should ** "******* *** ******"