Zero Day Exploits

I subscribe to the magazine Fast Company. This past month I read a very interesting article entitled “Fear of a Black Hat”. It covered the sale of Zero Day Threats. The article did not focus on the details of the threats. It was more concerned with how one hacker profits greatly from the sale of such threats that he discovered. Personally I had never heard of such exploits. So I decided to do a little more studying on this type of hack.

All software has vulnerabilities. Sometimes when these vulnerabilities are discovered, their existence is published. Then normally software manufacturers release patches that fix and remove the vulnerability. However there exist some such threats that have not been made public. These holes are thus not patched by the software vendors. They can be used to attack systems. It is these unpatched holes that are called Zero Day Exploits.

The curious thing about such Zero Day Exploits is that it is not necessarily illegal to sell information about them. In fact, legitimate companies and/or governments do pay for information about them. Obviously there is something a little sketchy about this business. However I do not think the sale of them break any laws. According to the Fast Company magazine article, this stance on its legality is shared by the Electronic Frontier Foundation as well.

I imagine there is a fine line between the world of information security and the black hat. The people making the large money by selling Zero Day exploits are doing so as a business venture. Yes maybe these people are small operations in terms of personnel. But the amount of money transferring hands is not. Fast Company states that the right exploits can fetch well into the 6 figures range. This may even be a viable business venture. Why else would a magazine like Fast Company be covering it?