I found this page over on VUPENs website interesting. Basically, they are now following the Wassenaar Arrangement that classifies their 0-days and exploits as regulated and export-controlled “dual-use” technologies. Going forward they will only sell to approved government agencies in approved countries.
The interesting thing to note is that the US is listed as a “Participating State” of this agreement as well. Does anyone know of proposed or existing laws that force the same restrictions in the US? The recently passed 2014 National Defense Authorization Act spending bill we discussed last week might just be the start.
The big question is where the government will draw the line in terms of defining “dual-use.” Will day-to-day security tools (e.g., Nessus and Nmap) fit into this category? What about a quick bash script you write up to bruteforce web application session ids? Only time will tell…
As the leading source of advanced vulnerability research, VUPEN provides government-grade zero-day exploits specifically designed for law enforcement agencies and the intelligence community to help them achieve their offensive cyber missions and network operations using extremely sophisticated and exclusive zero-day codes created by VUPEN Vulnerability Research Team (VRT).
While other companies in the offensive cyber security field mainly act as brokers (buy vulnerabilities from third-party researchers and then sell them to customers), VUPEN’s vulnerability intelligence and codes result exclusively from in-house research efforts conducted by our team of world-class researchers.
Our offensive and exclusive exploits take advantage of undisclosed zero-day vulnerabilities discovered by VUPEN researchers, and bypass all modern security protections and exploit mitigation technologies including DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization), sandboxes, and Antivirus products.
Today’s post pic is from Ifex.org.