Forbes has an interesting look at French security firm Vupen, which claims to sell its zero-day exploits of popular software and operating systems (including iOS) to government agencies for six-figure sums. But it raised several questions for me.
Vupen has publicly showed off exploits of Chrome but generally keeps its work private, preferring to sell them to governmental agencies who subscribe to its newsletter to the tune of $US100,000 a year. But while it says it sticks to NATO governments and “NATO partners” that seems pretty hard to police, no? And if these guys really are (as my security researcher pretend boyfriend Chris Soghoian calls them) “the Snooki of this industry” isn’t it possible that the entire selling-to-government black ops stuff is just publicity-seeking shenanigans?
I’d love to see a deeper piece on this. I get why Vupen wouldn’t want to show off its client list publicly, but this seems to be the kind of thing that could and should have been confirmed on background. But when you claim to be selling to spies, and only the good kind of spies, that seems like it could use a little more verification of that.
Oh, and hey. Please don’t hack me. [Forbes]