2

There are companies like Zerodium (Wikipedia: https://en.wikipedia.org/wiki/Zerodium) that buy "functional exploits" and sell them to "corporate and government clients". These are zero-day vulnerabilities, that is, vulnerabilities that are unknown to the developer of the software. Ethical hackers and professional security researchers typically report these vulnerabilities to the developer, so that they can be fixed. But companies like Zerodium buy these exploits and resell them to somebody else, we don't know who exactly. These people who buy the exploits from Zerodium are not going to use them legally, because as far as I know there is no reasonable way to use a zero-day exploit legally, other than reporting it to the developer (which they are not doing). Apparently the government is also buying the exploits from them, but that doesn't make it legal anyway.

Somebody might think that this is more or less like buying and selling guns, which is legal in the US. However, it's not really like that. First of all, guns can be used for several legitimate purposes, from fun to self-defense, while zero-days exploits cannot reasonably have such purposes IMO. And then, we don't really know who companies like Zerodium are selling the exploits to.

So how can all this be legal? Are there any specific laws in this field that allow it? Or are there any laws that would define this as illegal, or allow somebody to sue such companies in any way?

reed
  • 1,838
  • 1
  • 11
  • 22
  • 1
    Conceivably, the buyer could be using the information to patch their own systems before the exploit becomes more widely known. That would certainly be a legal way to use the exploit. – Nate Eldredge Dec 10 '18 at 19:28
  • @BlueDogRanch, that question is interesting and very similar, however it is more general and there are no definite answers at the moment. This is more specific to a kind of company in the US. – reed Dec 10 '18 at 21:41
  • 1
    Why would there need to be a legal use for something in order for the sale to be legal? If a use of something is illegal, then the use is illegal, not the sale. A sale of something is allowed unless that sale is somehow prohibited by a law of some sort. – Brandin Dec 11 '18 at 05:25
  • @Brandin because they are buying and selling very dangerous stuff, doing it secretly (their clients are kept secret), and giving an advantage to a few people (their clients) while at the same time putting millions of other users and companies at risk. Doesn't that sound like something that should be regulated, or at least makes you wonder why it isn't? It isn't "obvious" why it is legal. Anyway, the real reason seems to be that it's not illegal unless you can prove it is used illegally (and it can't be done because everything is kept secret). See the answer I accepted below. – reed Dec 14 '18 at 17:34

2 Answers2

3

Note that what is being bought or sold here is actually information about the exploit. Attempting to criminally penalize the transmission of information in the US often runs into First Amendment issues.

If a person has good reason to know that information is going to be used to commit a crime, or is likely to be so used, and there is no plausible legitimate use for the information, that person might be charged with complicity or conspiracy for distributing the information. But where there are legitimate uses, that is much less likely. Here the information could be used to defend against the exploit, or to identify and remove software subject to the exploit, or for research into such exploits generally. There may be other legit uses as well.

Some years ago the Federal government attempted to prosecute a person for exporting a book describing how to create an encryption program. The courts eventually ruled that this was protected speech. I suspect a similar ruling would be made in the sort of case described in the question, but the details would matter.

David Siegel
  • 113,558
  • 10
  • 204
  • 404
  • I believe the "exported book" was the PGP program. One measure taken was to print the entire source code as a book, export that, and then scan it back in using OCR, but the actual criminal investigation was against the program's author. https://en.wikipedia.org/wiki/Phil_Zimmermann#Arms_Export_Control_Act_investigation – Paul Johnson Dec 11 '18 at 11:12
  • I might be wrong, but I think these companies are not only buying information, but also working proof-of-concepts. Your answer probably contains the real reason why it is allowed though: to be illegal, you would have to prove that it is used to commit a crime. But the problem is that we don't have a way to prove that, because the list of clients is kept secret. Why are they secret? I can't think of a good reason. Long story short: some of them are probably using exploits illegally, but they keep everything secret so that there is no way to prove it. – reed Dec 14 '18 at 17:22
  • @reed If law-enforcement authorities suspect a crime in such a case, they could subpoena customer lists. Note that most businesses keep customer lists confidential, this is not suspicious. Note also that it is not up to 'us" to prove illegality, but to the relavant authorities. – David Siegel Dec 16 '18 at 17:28
2

how can all this be legal?

There are at least two lawful, possible uses of exploits. One is for research purposes, whereby an entity (necessarily an assembly programmer) analyzes the opcodes of the exploit to abstract its model. Having done that, the programmer is in a position to verify whether the in-house applications (or products, in the case of a software vendor) are vulnerable to that type of vulnerability, and therefrom proceed accordingly.

The second lawful use could be to achieve a shortcut to the targeted application's API and/or resources, thereby overcoming restrictions that might be permissible in terms of licensing but which the vendor is not interested in implementing upon customer's request. Given the high risk of costly system disruptions that this implies, it is utmost important for the programmer to know what he is doing when toying with these exploits for deployment in Production.

Iñaki Viggers
  • 1
  • 4
  • 68
  • 95