Sunday, March 28, 2010

Exploit Acquisition Program - More Details

The recent news on Forbes about our Exploit Acquisition Program has generated a lot of interesting speculative controversy and curiosity. As a result, I've decided to take the time to follow up with this blog entry. Here I'll make a best effort to explain what the Exploit Acquisition Program is, why we decided to launch the program, and how the program works.

What it is:

The Exploit Acquisition Program ("EAP") officially started in May of 1999 and is currently being run by Netragard, LLC. EAP specifically designed to acquire "actionable research" in the form of working exploits from the security community. The Exploit Acquisition Program is different than other programs because participants receive significantly higher pay for their work and in most cases the exploits never become public knowledge.

The exploits that are acquired via the EAP are sold directly to specific US based clients that have a unique and justifiable need for such technologies. At no point does Netragard sell or otherwise export acquired exploits to any foreign entities. Nor do we disclose any information about our buyers or about participating researchers.

Why did we start the EAP?

Netragard launched the EAP to give security researchers the opportunity to receive fair value for their research product. Our bidding prices start at or around $15,000 per exploit. That price is affected by many different variables.

How does the EAP Work?

The EAP works as follows:
  1. Researcher contacts Netragard.
  2. Researcher and Netragard execute a Mutual Nondisclosure Agreement.
  3. Researcher provides a verifiable form of identification to Netragard.
  4. Researcher fills out an Exploit Acquisition Form ("EAF").
  5. Netragard works with the buyer to determine exploit value based on the information provided in the EAF.
  6. Researcher accepts or rejects the price. Note: If rejected, the process stops here.
  7. Researcher submits the exploit code and vulnerability details to Netragard.
  8. Netragard verifies that the exploit works as advertised.
  9. If the exploit does not work as advertised then the researcher is given the opportunity to resolve the issue(s).
  10. If the exploit does work as advertised then the purchase agreement is delivered to the researcher.
  11. Researcher executes purchase agreement and transfers all rights and ownership of the exploit and any information related to the exploit to Netragard. At this point researcher loses all rights to the exploit and its respective information.
  12. Netragard begins the payment process.
  13. Payments are issued in three equal installments over the course of three months.
EAP Rules
  1. Netragard requires exclusivity for all exploits purchased through the EAP.
  2. Ownership of the exploit and its respective vulnerability information are transferred from researcher to Netragard at step 11 above. Prior to step 11 the exploit and its respective vulnerability information are the intellectual property of the researcher. If at any point before step 11 the researcher terminates the acquisition process then Netragard will destroy any and all information related to failed transaction. Termination of sale is not possible after step 11.
  3. Netragard will not identify its buyers.
  4. Netragard will not identify researchers.
  5. All transactions between buyer, Netragard and developer are done legally and contractually. At no point will Netragard engage in illegal activity or with unknown, untrusted, and/or unverifiable sources or entities.
If you are interested in selling your exploit to us, please contact us at

Thursday, March 4, 2010

Professional Script Kiddies vs Real Talent

The Good Guys in the security world are no different from the Bad Guys; most of them are nothing more than glorified Script Kidies. The fact of the matter is that if you took all of the self-proclaimed hackers in the world and you subjected them to a litmus test, very few would pass as acutal hackers.

This is true for both sides of the so called Black and White hat coin. In the Black Hat world, you have script-kids who download programs that are written by other people then use those programs to “hack” into networks. The White Hat’s do the exact same thing; only they buy the expensive tools instead of downloading them for free. Or maybe they’re actually paying for the pretty GUI, who knows?

What is pitiable is that in just about all cases these script kiddies have no idea what the programs actually do. Sometimes that’s because they don’t bother to look at the code, but most of the time its because they just can’t understand it. If you think about it that that is scary. Do you really want to work with a security company that launches attacks against your network with tools that they do not fully understand? I sure wouldn’t.

This is part of the reason why I feel that it is so important for any professional security services provider to maintain an active research team. I’m not talking about doing market research and pretending that its security research like so many security companies do. I’m talking about doing actual vulnerability research and exploit development to help educate people about risks for the purposes of defense. After all, if a security company can’t write an exploit then what business do they have launching exploits against your company?

I am very proud to say that Everything Channel recently released the 2010 CRN Security Researchers list and that Netragard’s Kevin Finisterre was on the list. Other people that were included in the list are people that I have the utmost respect for. As far as I am concerned, these are some of the best guys in the industry: (clearly this list is not all inclusive and in no way includes all of the people that deserve credit for their contributions and/or talent).

  • Dino Dai Zovi
  • Kevin Finisterre
  • Landon Fuller
  • Robert Graham
  • Jeremiah Grossman
  • Larry Highsmith
  • Billy Hoffman
  • Mikko Hypponen
  • Dan Kaminsky
  • Paul Kocher
  • Nate Lawson
  • David Litchfield
  • Charles Miller
  • Jeff Moss
  • Jose Nazario
  • Joanna Rutkowska

In the end I suppose it all boils down to what the customer wants. Some customers want to know their risks; others just want to put a check in the box. For those who want to know what their real risks are, you’ve come to the right place.