An Exploit Sold on the "Vulnerability Market" Becomes the Next APT

Vulnerability markets or auctions are a worrisome new trend in information security. Some so-called "security" companies are selling zero day software vulnerabilities to the highest bidder, while NOT disclosing them to the vulnerable vendor. They claim to "vet" their customers, and only sell to NATO governments and legitimate companies. However, it's easy to imagine exceptions if the price is right. Even selling vulnerabilities to a government without disclosing them allows the government to potentially leverage the flaws against citizens. These vulnerability auction houses threaten everyone's information and network security, and should be considered black markets.

Though it will be hard to prove, we expect one of these auctioned-off zero day exploits to show up in some major targeted attack this year. Artificially inflating the value of vulnerabilities does nothing to help secure the victims who use that software, and selling exploits to the highest bidder without disclosing them just puts tools into the hands of potentially evil actors who obviously want to leverage them in cyber attacks.