Meet Vupen, the Enemy…Making Big Money on Vulnerabilities.

By in Tech on March 23, 2012

Thanks again to my good friend Abraham Smith, who tweeted an article from Forbes this morning.

The article appears in their April 9th edition, and provides details on the French Security Firm that hires, leverages, and highly pays hackers to provide the exploits and hacks into your private security to the highest bidding spy organizations and governments on the planet.


In that shady but legal market for security vulnerabilities, a zero-day exploit that might earn a hacker $2,000 or $3,000 from a software firm could earn 10 or even 100 times that sum from the spies and cops who aim to use it in secret. Bekrar won’t detail Vupen’s exact pricing, but analysts at Frost & Sullivan, which named Vupen the 2011 Entrepreneurial Company of the Year in vulnerability research, say that Vupen’s clients pay around $100,000 annually for a subscription plan, which gives them the privilege of shopping for Vupen’s techniques. Those intrusion methods ­include ­attacks on software such as Micro­soft Word, Adobe Reader, Google’s ­Android, Apple’s iOS operating systems and many more—Vupen bragged at HP’s hacking competition that it had exploits ready for every major browser. And sources familiar with the company’s business say that a single technique from its catalog often costs far more than its six-figure subscription fee.

Even at those prices, Vupen doesn’t sell its exploits exclusively. ­Instead, it hawks each trick to multiple government agencies, a business model that often plays its customers against one another as they try to keep up in an espionage arms race.

Last summer, groups like Lulzsec and Anonymous successfully performed multiple security attacks across various gaming companies, including the likes of: Nintendo, Sony, Bethesda, Codemasters, and EA.  The attack on Sony Pictures website resulted in the acquisition of personal details for 40 thousand of their customer base.  They also included DDoS (denial of service) against Minecraft, Eve Online, League of Legends, and the Escapist website.

But why did they do it?

Some postulated last year that the attacks were based off Sony’s court case against hacker George Hotz, for figuring out how to get around the security protocols in the PS3 console system – opening up the system for use with pirated software.  While, this may in fact be true, and the kick that started the snowball rolling down the hill…the real reason that attacks like these happen, that they do these things…

…is because they can.

A successful attack provides notoriety and after a short prison sentence a potential 6-figure job at companies just like Vupen.