- A company based in the United Arab Emirates called Crowdfense is offering millions of dollars for zero-day Android exploits.
- While a bounty for exploits is not a new concept, this Crowdfense bounty is mysterious, as the company won’t specifically say where the exploit goes from there.
- A zero-day Android exploit is pretty serious business, and this company’s intentions are unclear.
Sounds amazing, right? The only issue is that it is not clear what Crowdfense would then do with the exploit. The company admits that it would sell the exploit to other organizations, but which ones and for what purpose is unknown.
The Crowdfense website describes the company as “a world-leading vulnerability research hub” that “evaluates state-of-the-art active cyber-defense capabilities” and then “offers them to a carefully selected group of global institutional customers.” In other words, the company looks for holes in major systems and then sells the information to undisclosed organizations.
While Crowdfense is probably an ethical company that will only use the supplied exploit information to do good in this world, it’s also hard not to imagine a company in its position selling off the software vulnerabilities to the highest bidder, putting anyone who uses the software at risk. After all, we are talking about millions of dollars here, which necessitates a tiny list of potential customers.
For the sake of comparison, Google itself offers bounty rewards for Android exploits. But the payout from Google will likely be in the thousands of dollars, not millions.
Crowdfense isn’t just looking for Android exploits, either. It will pay hundreds-of-thousands up to millions of dollars for zero-day exploits related to iOS, Windows, and macOS.
According to Crowdfense director Andrea Zapparoli Manzoni, via Motherboard, the company has $10 million banked, which it controls from its headquarters in the United Arab Emirates. Manzoni admits that Crowdfense’s customers are “law enforcement or intelligence” agencies that are looking for tools “aimed at collecting intelligence.” So it seems like the exploits go to government institutions. But which governments?
With our world becoming more and more connected, software vulnerabilities will only get more dangerous. If you find a weakness of any kind in any type of software, be sure to thoroughly vet any person or organization with which you would share that information.
April 26, 2018 at 12:40PM