Is Vupen black hat or white hat?
I was talking to GFI Software about the new patch management module added to their VIPRE Business product – but as so often happens in interesting conversations we got side-tracked. Since patches are often forced by researchers’ vulnerability disclosures, I asked GFI for its position on full vs responsible disclosure. This led to the difference between black hat and white hat researchers: basically, Jong (Jong Purisima, antivirus lab manager) told me, “black hat researchers sell their vulnerabilities for money, while white hat researchers report the vulnerability to help the user be more secure and gain the kudos for the discovery.”
Incidentally, as a vendor, GFI would like a couple of days prior warning before a white hat researcher goes public, but believes that a fortnight is more than reasonable – a refreshing attitude compared to the ‘don’t ever disclose’ hysteria promoted by some vendors.
Anyway, a black hat researcher sells his discoveries to make money. So where does that put Vupen? Vupen is a sort of zero-day broker. It buys or develops zero-day exploits and sells them to governments. We are told it doesn’t sell them to anyone else; but that is pretty difficult to prove or disprove. (Even there, given the US Olympic Games project, and the Stuxnet and Flame episodes, there seems little difference between governments and criminal gangs anyway.)
So that’s the question. Is Vupen black hat or white hat? John said, “technically, they’re black hat.” Mark (Mark Patton, general manager of the Security Business Unit) suggested, “Grey hat? Perhaps dark grey hat?” To me, Vupen is simply a black-as-night hat. Any takers?
Kevin Townsend 
Troll article detected written by a fake journalist, wondering who is the real person behind this fake blog (probably a vendor) ??
LikeLike
A rather stupid comment since my name is all over this site; but you’re allowed your opinion. Unlike yours.
LikeLike
You are a fake journalist and this blog is fake, nobody knows you, and nobody has met you or saw you before, so this blog is a classic fake blog run by a vendor hiding behind a fake journalist, well done.
LikeLike
that’s a pretty strange statement for GFI to make about black hats. there are actually white hats who sell their research for money too (that’s what bug bounties, pwn2own, and pwnium are basically about).
a more useful deciding factor, i think, is whether an entity works towards getting the vulnerability research into the hands of the people who can fix the vulnerability. vupen fails that litmus test in spades – they’ve made it clear they will not sell vulns/exploits to the affected vendor, not even for a million dollars.
LikeLike
In fairness I don’t think there’s much difference between the view from GFI and yours (any fault would be mine in the writing).
But aren’t vulnerabilities ‘bought’ by the bounty schemes, rather than ‘sold’ by the researchers? In this scenario the key would be what happens next if the vulnerability isn’t bought: if disclosed to the vendor or revealed in the slightest bit responsibly, the researcher is white hat; if sold or given to or used by criminals, the researcher is black hat.
LikeLike
to my mind, when one side buys the other side sells. you can’t have one without the other.
i don’t think i’ve ever heard of anyone handing bugs over to the bad guys after failing to hand it over to the good guys. at least not intentionally.
if the vendor themselves won’t pay (perhaps because they don’t pay outsiders for that sort of thing) there are brokers who will pay and then work with the vendor. if someone is looking to get paid for their research and they go to the vendors or brokers first, even though they could probably get more money by going to the bad guys, then they are unlikely to ever go to the bad guys because they are motivated by more than just money.
LikeLike
Vupen doesn’t buy 0ds.
LikeLike