While Hacking Team’s story continues to roll, we are hearing more and more about private companies who are merchants of hacks. One of the newest players in the field is a startup called Zerodium. And as it name suggests, it specializes in acquiring zero-day exploits, and then selling them off.
The start-up is backed by Vupen, the French vulnerability dealer that has often drawn controversy for brokering exploits to the highest bidder.
It works very simply by offering 3 times the price that companies would usually pay for finding holes & exploits in their products. It will essentially function like a third-party bug bounty program, rewarding independent researchers for their zero-day discoveries. From there, it will analyze, document and report the findings to its clients (organizations and governments), “along with protective measures and security recommendations.”
i.e., it will pay a researcher more for an exploit for Google Chrome than Google will. And presumably, with no intention of ever informing Google—or Google’s users—of the issue.