Vulnerabilities: the central issue of governance

The profile of vulnerability researchers is very varied. They can be people who are passionate about computers and want to improve the security of the tools they use on a daily basis, or developers who are involved in an open source community and contribute to the evolution of a given software solution. Their action is mostly disinterested.

Others manage to generate some additional income from their activity, or even make a living from it almost entirely, thanks in particular to bug bounty platforms such as HackerOne, YesWeHack and Yogosha, which provide a very serious framework for this activity.

« The vulnerability research sector has become much more professionalised in recent years. Specializations have appeared, particularly around mobile, hardware, embedded technologies, Bluetooth, IoT… And the more specialised it is, the more valuable the strength of a crowdsourced platform is, » says Rayna Stamboliyska, author of « La face cachée d’Internet » [The hidden face of the Internet] published by Larousse.

Brokers: grey area and opacity

Finally, some vulnerability researchers resell the flaws they have identified to brokers, without much thought as to what will become of their findings. The business model of these companies is to sell the discovered vulnerabilities to the highest bidder. The latter may, for example, be a state that will use it offensively against another state, or a cybercriminal organisation that will use it to spy on the activities of a large group or to extract money from it via ransomware.

« The question of what happens to the vulnerabilities submitted to brokers is a real one. It remains a guess, but vulnerabilities are either bought by publishers to improve the security level of their solutions or exploited by offensive entities—such as states or criminal organisations—that use them for malicious purposes. The functioning of brokers is generally quite opaque, » says a market expert who prefers to remain anonymous.

Compared to the rewards offered by bug bounty platforms, the compensation grids of some brokers are very attractive. For instance, the site Zerodium offers a grid of up to 2 or 2.5 million dollars for zero-day vulnerabilities affecting Android or iOS, respectively.

« This vulnerability broker is ‘borderline’ because of the exchanges it allows and facilitates. In addition to the transparency responsibilities of states with regard to this type of platform, we also note that there seem to be few respondents when zero-day vulnerabilities affecting publishers’ products are found for sale at a broker, » wonders Rayna Stamboliyska.

Are states completely transparent about their vulnerability activities? Nothing is less certain. To date, only the United States has formulated a doctrine on the subject. Called the Vulnerabilities Equities Process (VEP), it is used by the U.S. federal government to determine, on a case-by-case basis, how it should treat zero-day computer security vulnerabilities, and whether to disclose them to the public to help improve general computer security, or to keep them secret for offensive use against other states.

A real issue for society and ‘living together’

« Vulnerabilities, including zero-day ones, are originally a purely technical subject. But at some point, they must become a governance issue. In other words, they represent a real issue for society and ‘living together’ because they involve questions of responsibility, accountability, and transparency, » analyses Rayna Stamboliyska.

Various international texts provide a framework for vulnerabilities trade. The best known is certainly the Wassenaar Arrangement, established in 1996 by 33 states (42 today). This multilateral export control regime was set up to coordinate the policies of the signatory states on the export of conventional arms and dual-use goods and technologies.

In the software sector, dual-use goods and technologies are products initially designed for civilian use that can be misused by their users for military, terrorist, or human rights abuse purposes. This includes intrusion software, cyber surveillance systems, exploits, and zero-day vulnerabilities.

« Because of its non-binding nature, the effectiveness of the Wassenaar Arrangement is limited. Participating states are under no obligation to transpose the lists of relevant goods into their domestic law. For example, the United States has not transposed a number of provisions on intrusion software vectors. And if we look at the content of the provisions themselves, the impact of the Wassenaar Arrangement is extremely weak, » says Aude Gery, a Doctor of Public International Law at the University of Rouen and a researcher at GEODE, a multidisciplinary research and training centre on the strategic issues of the digital revolution.

Wassenaar Arrangement: concerns expressed by security researchers

Other criticism of the Wassenaar Arrangement comes from the security research community. A number of the goods listed in the Wassenaar Arrangement are used by security researchers on a daily basis. Security researchers have been concerned that their reporting of vulnerabilities to foreign companies would be subject to state reporting and authorisation, which was ruled out in 2017 and 2019 for responsible vulnerability reporting and incident response. However, concerns remain as the lack of transparency on the interpretation of the provisions is raising questions.

The reform of European Union law on the export of dual-use goods entered into force very recently—last September. It extends the conditions under which exports must be refused, including in cases of serious human rights violations. But, again, the question is how this should be interpreted.

« For all these subjects, there are many interpretation issues, and it will be necessary to see the practice of states in this area. We often come up against a problem of transparency in this field. This is an extremely sensitive issue. I am waiting to see the reports produced by the states and their transparency before measuring the impact of this or that provision, » concludes Aude Géry.