Kevin Mitnick, a famous (former) hacker who is now a security consultant, has ventured into a new business: buying and selling high-end zero-day exploits. Dubbed Absolute Zero Day Exploit Exchange, the six-month-old service sells exclusive unpatched exploits to corporate as well as government clients for over a whopping $100,000.
For the uninitiated, a zero-day exploit is an attack taking advantage of a vulnerability for which no official patch has been released by the vendor. This means that no days (zero days) have elapsed between the time the vulnerability was discovered and the time an official patch was made available.
Mitnick says the service offers exploits developed both by his own team as well as by independent researchers. “Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between”, he said. There is also a premium option under which the company digs up new zero-days that target whatever software the customer specifies.
When asked what will his customers do with those exploits, he said the company never asks the purpose. He also declined to name any of the company's clients, although the newly-launched project website offers some hints.
Considering that Mitnick doesn't have a good history with the government, it's ironic that he is indirectly helping law enforcement spy on people. However, he refutes the claim, saying that there's a screening process in place.
“I’m not interested in helping government agencies spy on people”, he says. “Customers want to buy this information, and they’ll pay a certain price. If they pass our screening process, we’ll work with them”.
Kevin Mitnick was once known as the "World’s Most Wanted" computer hacker. While in Federal custody, he was even placed in solitary confinement reportedly because law enforcement officials had convinced the judge that he could “start a nuclear war by whistling into a pay phone”.
