We’ve decided to terminate our Exploit Acquisition Program (again).   Our motivation for termination revolves around ethics, politics, and our primary business focus.  The HackingTeam breach proved that we could not sufficiently vet the ethics and intentions of new buyers. HackingTeam unbeknownst to us until after their breach was clearly selling their technology to questionable parties, including but not limited to parties known for human rights violations.  While it is not a vendors responsibility to control what a buyer does with the acquired product, HackingTeam’s exposed customer list is unacceptable to us.  The ethics of that are appalling and we want nothing to do with it.

While EAP was an interesting and viable source of information for Netragard it was not nor has it ever been Netragard’s primary business focus. Netragard’s primary focus has always been the delivery of genuine, realistic threat penetration testing services.  While most penetration testing firms deliver vetted vulnerability scans, we deliver genuine tests that replicate real world malicious actors.  These tests are designed to identify vulnerabilities as well as paths to compromise and help to facilitate solid protective plans for our customers.

It is important to mention that we are still in strong favor of ethical 0-day development, brokering and  sales.  The need for 0-days is very real and the uses are often both ethical and for the greater good. One of the most well known examples was when the FBI used a FireFox 0-day to target and eventually dismantle a child pornography ring.  People who argue that all 0-day’s are bad are either uneducated about 0-days or have questionable ethics themselves.  0-days’s are nothing more than useful tools that when placed in the right hands can benefit the greater good.

If and when the 0-day market is correctly regulated we will likely revive EAP.  The market needs a framework (unlike Wassenaar) that holds the end buyers accountable for their use of the technology (similar to how guns are regulated in the US).  Its important that the regulations do not target 0-days specifically but instead target those who acquire and use them.  It is important to remember that hackers don’t create 0-day’s but that software vendors create them during the software development process.  0-day vulnerabilities exist in all major bits of software and if the good-guys aren’t allowed to find them then the bad-guys will