Home > All, Security Issues > Is Vupen black hat or white hat?

Is Vupen black hat or white hat?

November 14, 2012 Leave a comment Go to comments

I was talking to GFI Software about the new patch management module added to their VIPRE Business product – but as so often happens in interesting conversations we got side-tracked. Since patches are often forced by researchers’ vulnerability disclosures, I asked GFI for its position on full vs responsible disclosure. This led to the difference between black hat and white hat researchers: basically, Jong (Jong Purisima, antivirus lab manager) told me, “black hat researchers sell their vulnerabilities for money, while white hat researchers report the vulnerability to help the user be more secure and gain the kudos for the discovery.”

Incidentally, as a vendor, GFI would like a couple of days prior warning before a white hat researcher goes public, but believes that a fortnight is more than reasonable – a refreshing attitude compared to the ‘don’t ever disclose’ hysteria promoted by some vendors.

Anyway, a black hat researcher sells his discoveries to make money. So where does that put Vupen? Vupen is a sort of zero-day broker. It buys or develops zero-day exploits and sells them to governments. We are told it doesn’t sell them to anyone else; but that is pretty difficult to prove or disprove. (Even there, given the US Olympic Games project, and the Stuxnet and Flame episodes, there seems little difference between governments and criminal gangs anyway.)

So that’s the question. Is Vupen black hat or white hat? John said, “technically, they’re black hat.” Mark (Mark Patton, general manager of the Security Business Unit) suggested, “Grey hat? Perhaps dark grey hat?” To me, Vupen is simply a black-as-night hat. Any takers?

Categories: All, Security Issues
  1. Anonymous
    November 14, 2012 at 5:10 pm

    Troll article detected written by a fake journalist, wondering who is the real person behind this fake blog (probably a vendor) ??

    Like

    • November 14, 2012 at 5:14 pm

      A rather stupid comment since my name is all over this site; but you’re allowed your opinion. Unlike yours.

      Like

      • Anonymous
        November 14, 2012 at 5:41 pm

        You are a fake journalist and this blog is fake, nobody knows you, and nobody has met you or saw you before, so this blog is a classic fake blog run by a vendor hiding behind a fake journalist, well done.

        Like

  2. November 14, 2012 at 4:55 pm

    that’s a pretty strange statement for GFI to make about black hats. there are actually white hats who sell their research for money too (that’s what bug bounties, pwn2own, and pwnium are basically about).

    a more useful deciding factor, i think, is whether an entity works towards getting the vulnerability research into the hands of the people who can fix the vulnerability. vupen fails that litmus test in spades – they’ve made it clear they will not sell vulns/exploits to the affected vendor, not even for a million dollars.

    Like

    • November 14, 2012 at 5:05 pm

      In fairness I don’t think there’s much difference between the view from GFI and yours (any fault would be mine in the writing).

      But aren’t vulnerabilities ‘bought’ by the bounty schemes, rather than ‘sold’ by the researchers? In this scenario the key would be what happens next if the vulnerability isn’t bought: if disclosed to the vendor or revealed in the slightest bit responsibly, the researcher is white hat; if sold or given to or used by criminals, the researcher is black hat.

      Like

      • November 14, 2012 at 5:29 pm

        to my mind, when one side buys the other side sells. you can’t have one without the other.

        i don’t think i’ve ever heard of anyone handing bugs over to the bad guys after failing to hand it over to the good guys. at least not intentionally.

        if the vendor themselves won’t pay (perhaps because they don’t pay outsiders for that sort of thing) there are brokers who will pay and then work with the vendor. if someone is looking to get paid for their research and they go to the vendors or brokers first, even though they could probably get more money by going to the bad guys, then they are unlikely to ever go to the bad guys because they are motivated by more than just money.

        Like

  3. a
    November 14, 2012 at 4:50 pm

    Vupen doesn’t buy 0ds.

    Like

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s