Andy Greenberg writes: At a Google-run competition in Vancouver last month, the search giant’s famously secure Chrome Web browser fell to hackers twice. Both of the new methods used a rigged website to bypass Chrome’s security protections and completely hijack a target computer. But while those two hacks defeated the company’s defenses, it was only a third one that actually managed to get under Google’s skin.
A team of hackers from French security firm Vupen were playing by different rules. They declined to enter Google’s contest and instead dismantled Chrome’s security to win an HP-sponsored hackathon at the same conference. And while Google paid a $60,000 award to each of the two hackers who won its event on the condition that they tell Google every detail of their attacks and help the company fix the vulnerabilities they had used, Vupen’s chief executive and lead hacker, Chaouki Bekrar, says his company never had any intention of telling Google its secret techniques—certainly not for $60,000 in chump change.
“We wouldn’t share this with Google for even $1 million,” says Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”
Those customers, after all, don’t aim to fix Google’s security bugs or those of any other commercial software vendor. They’re government agencies who purchase such “zero-day” exploits, or hacking techniques that use undisclosed flaws in software, with the explicit intention of invading or disrupting the computers and phones of crime suspects and intelligence targets.
In that shady but legal market for security vulnerabilities, a zero-day exploit that might earn a hacker $2,000 or $3,000 from a software firm could earn 10 or even 100 times that sum from the spies and cops who aim to use it in secret. Bekrar won’t detail Vupen’s exact pricing, but analysts at Frost & Sullivan, which named Vupen the 2011 Entrepreneurial Company of the Year in vulnerability research, say that Vupen’s clients pay around $100,000 annually for a subscription plan, which gives them the privilege of shopping for Vupen’s techniques. Those intrusion methods include attacks on software such as Microsoft Word, Adobe Reader, Google’s Android, Apple’s iOS operating systems and many more—Vupen bragged at HP’s hacking competition that it had exploits ready for every major browser. And sources familiar with the company’s business say that a single technique from its catalog often costs far more than its six-figure subscription fee.