Where Did the Bugs Go? Check the Gray Market, HP Report Says

Photograph by Pete Oxford/Minden Pictures

Bug-brokers are willing to pay potentially hundreds of thousands of dollars for the most destructive software flaws.

On its face, it seems like a good sign in the battle against hackers: The number of known software vulnerabilities fell by nearly 1,700 last year.

Not so.

A new report from Hewlett-Packard said the drop — to 6,843 last year from 8,502 the year before — creates a “false sense of security.”

The reason is that there aren’t necessarily fewer bugs, just fewer frivolous ones being discovered. As for the harder-to-find, heavy duty security holes? The folks uncovering those are instead finding it more lucrative to sell their information on the gray market.

The HP report underlines a potentially worrisome trend about the state of computer security.

Professional security researchers and hobbyist hackers uncover security holes all the time. In recent years, companies such as Google, Facebook and Mozilla have started offering “bug bounties,” payments of potentially thousands of dollars to people who find flaws in their products and disclose them. They are designed to encourage so-called “white hat” hacking. HP’s TippingPoint division, for instance, has a similar long-running program that’s not limited to specific products, unlike the other programs.

But many of the easiest-to-spot vulnerabilities have been found. Hackers have scavenged popular software programs for holes and picked a lot of the low-hanging fruit. That means many of the vulnerabilities that are found now are more serious, harder to detect, and thus more lucrative on the gray market. So-called bug-brokers may pay hundreds of thousands of dollars for the most destructive software flaws.

One such firm is Vupen Security, a consultancy that openly sells “government-grade exploits specifically designed for offensive missions.” Because buying and selling software bugs isn’t illegal, companies such as Vupen face the wrath of security researchers instead of the force of any rule of law.

Vupen, based in Montpellier, France, gained notoriety last month at a hacking competition in Canada called Pwn2Own, which TippingPoint sponsors. Vupen researchers demonstrated a successful attack against Google’s Chrome browser, but rejected the search giant’s request — and cash — for details on how they did it, arguing the details are worth far more in the underground market.

HP said this leads to a “significant” number of bugs remaining in the shadows.

What do you think about this article? Comment below!