Vupen

Last updated
Vupen Security
Company type Société anonyme
Industrycomputer programming  OOjs UI icon edit-ltr-progressive.svg
Founded2004 (2004)
DefunctMay 5, 2015 (2015-05-05) [1]
Headquarters
Montpellier
,
France
Area served
 Information security, Espionage
Websitevupen.com

Vupen Security was a French information security company founded in 2004 and based in Montpellier with a U.S. branch based in Annapolis, Maryland. Its specialty was in discovering zero-day vulnerabilities in software from major vendors in order to sell them to law enforcement and intelligence agencies which used them to achieve both defensive and offensive cyber-operations. [2] Vupen ceased trading in 2015, and the founders created a new company Zerodium.

Contents

Work

In 2011, 2012, 2013 and 2014 Vupen won first prize in the hacking contest Pwn2Own, most notably in 2012 by exploiting a bug in Google Chrome. Their decision not to reveal the details of the vulnerability to Google, but rather to sell them, was controversial. [3] Unlike in 2012, during Pwn2Own 2014, Vupen decided to reveal to the affected vendors, including Google, all its exploits and technical details regarding the discovered vulnerabilities, which led to the release of various security updates from Adobe, Microsoft, Apple, Mozilla, and Google to address the reported flaws. [4]

Some years ago, Vupen was still providing information about vulnerabilities in software for free but then decided to monetize its services. "The software companies had their chance", said Vupen-founder Chaouki Bekrar according to an article in Die Ziet , "now it's too late". [5] On 15 September 2013, it was revealed that the NSA was a client of Vupen and had a subscription to its exploit service. [6] On 9 November 2014, the German magazine Der Spiegel reported that the German information security agency BSI, tasked with the protection of federal government networks, was also a client of Vupen. [7] On 22 July 2015, it was revealed that Vupen provided exploits to the Italian company Hacking Team between 2010 and 2011. [8]

On 5 May 2015, Vupen's founders filed documents to close the company [1] and moved to the US to start a new cybersecurity startup named Zerodium.

Zerodium

On 23 July 2015, Vupen's founders launched their new cybersecurity company Zerodium in the US. The company has a different business model as it acquires zero-day capabilities from independent researchers and reports them, along with protective measures and security recommendations, to its government clients. [9]

Related Research Articles

An exploit is a method or piece of code that takes advantage of vulnerabilities in software, applications, networks, operating systems, or hardware, typically for malicious purposes. The term "exploit" derives from the English verb "to exploit," meaning "to use something to one’s own advantage." Exploits are designed to identify flaws, bypass security measures, gain unauthorized access to systems, take control of systems, install malware, or steal sensitive data. While an exploit by itself may not be a malware, it serves as a vehicle for delivering malicious software by breaching security controls.

In the field of computer security, independent researchers often discover flaws in software that can be abused to cause unintended behaviour; these flaws are called vulnerabilities. The process by which the analysis of these vulnerabilities is shared with third parties is the subject of much debate, and is referred to as the researcher's disclosure policy. Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them.

Vulnerabilities are flaws in a computer system that weaken the overall security of the system.

A zero-day is a vulnerability in software or hardware that is typically unknown to the vendor and for which no patch or other fix is available. The vendor has zero days to prepare a patch as the vulnerability has already been described or exploited.

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

<span class="mw-page-title-main">Malwarebytes</span> Internet security company

Malwarebytes Inc. is an American Internet security company that specializes in protecting home computers, smartphones, and companies from malware and other threats. It has offices in Santa Clara, California; Clearwater, Florida; Tallinn, Estonia; Bastia Umbra, Italy; and Cork, Ireland.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and Alexey De-Monderik. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference. First held in April 2007 in Vancouver, the contest is now held twice a year, most recently in March 2024. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The Pwn2Own contest serves to demonstrate the vulnerability of devices and software in widespread use while also providing a checkpoint on the progress made in security since the previous year.

Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.

<span class="mw-page-title-main">Tailored Access Operations</span> Unit of the U.S. National Security Agency

The Office of Tailored Access Operations (TAO), now Computer Network Operations, and structured as S32, is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA). It has been active since at least 1998, possibly 1997, but was not named or structured as TAO until "the last days of 2000," according to General Michael Hayden.

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

The cyber-arms industry are the markets and associated events surrounding the sale of software exploits, zero-days, cyberweaponry, surveillance technologies, and related tools for perpetrating cyberattacks. The term may extend to both grey and black markets online and offline.

Zerodium is an American information security company. The company was founded in 2015 with operations in Washington, D.C., and Europe. The company develops and acquires zero-day exploits from security researchers

The market for zero-day exploits is commercial activity related to the trafficking of software exploits.

NOBUS is a term used by the United States National Security Agency (NSA) to describe a known security vulnerability that it believes the United States (US) alone can exploit.

Zero Day Initiative (ZDI) is an international software vulnerability initiative that was started in 2005 by TippingPoint, a division of 3Com. The program was acquired by Trend Micro as a part of the HP TippingPoint acquisition in 2015.

Candiru is a private Tel Aviv-based company founded in 2014 which provides spyware and cyber-espionage services to government clients. Its management and investors overlap significantly with that of NSO Group. Its operations began being uncovered in 2019 by researchers at CitizenLab, Kaspersky, ESET. Microsoft refers to the company's cyber-espionage operations as "Caramel Tsunami/SOURGUM" while Kaspersky refers to it as "SandCat"

<span class="mw-page-title-main">Jonathan Brossard</span> French computer scientist

Jonathan Brossard also known under the username 'endrazine', is a French security hacker, engineer and a Professor of computer science at the Conservatoire National des Arts et Metiers. He is best known as a pioneer in firmware cybersecurity, having presented the first public example of a hardware backdoor. The MIT Technology Review called it "undetectable and uncurable". He has presented several times at conferences such as Defcon and Blackhat, as the Director of Security at Salesforce.

References

  1. 1 2 Registre des sociétés, Societe.com
  2. Andy Greenberg (21 March 2012). "Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees)". Forbes .
  3. Kim Zetter (3 September 2012). "How to Pwn the Pwn2Own Contest". Wired .
  4. Google (14 March 2014). "Chrome Stable Channel Update".{{cite news}}: |author= has generic name (help)
  5. Philipp Alvares de Souza Soares: Cyberspionage: Durch die Hintertuer, in: Die Zeit October 2nd 2013.
  6. NSA Contracted With Zero-Day Vendor Vupen, Darkreading
  7. BND will Informationen ueber Software-Sicherheitsluecken einkaufen, in: Der Spiegel November 9th 2014.
  8. Hacking Team: a zero-day market case study, Vlad Tsyrklevich's blog
  9. Fisher, Dennis (July 24, 2015). "VUPEN Founder Launches New Zero-Day Acquisition Firm Zerodium". ThreatPost.com. Retrieved November 3, 2015.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.