BTS #59 - Exploit Marketplaces
In this episode of Below the Surface, host Paul Asadoorian speaks with Evan Dornbush, CEO of Desired Effect, about the evolving landscape of exploit marketplaces and vulnerability research. They discuss the challenges researchers face in monetizing their findings, the ethical implications of selling exploits, and the importance of timely intelligence for defenders. The conversation also touches on the role of AI in vulnerability research, the dynamics between buyers and sellers in the marketplace, and the impact of end-of-life devices on cybersecurity. Overall, the episode provides valuable insights into the complexities of the exploit marketplace and the need for a more proactive approach to cybersecurity.
Subscribe
Transcript
Paul Asadoorian (00:04.738) Okay, it’s not giving me any feedback, but it’s not giving me any errors, which is good. It’s good. And we’re all uploading. You’ve done this show before. Yeah. Yeah, I think it was this one. Yeah. Well, it’s just the two. Okay, maybe three shows that I do now. So yeah, I have a bad podcast habit. I just have to do lots of podcasts. All right. You guys ready? All right, let’s do it.
Evan Dornbush (00:19.189) done a show of yours. I feel like you have so many shows I don’t even know. Could be.
Paul Asadoorian (00:40.95) This week, we welcome Evan Dornbusch. He is the CEO and founder of Desired Effect, and we’re gonna be talking about exploit marketplaces. Stay tuned below the surface, coming up next.
Paul Asadoorian (00:56.042) Welcome to Below the Surface. It’s episode number 59 being recorded on Wednesday, September 3rd, 2025. I’m of course your host, Paul Osidorian, joined by a couple of my coworkers. Mr. Chase Snyder is here with us. Chase, welcome. And from the Quiet Room, in an undisclosed location, Mr. Vlad Babkin is here with us. Vlad, welcome.
Chase Snyder (01:08.948) Bye guys.
Paul Asadoorian (01:17.698) Thanks for joining us guys. Just a quick announcement before we get started. Of course, below the surface listeners can learn more about Eclipseum by visiting Eclipseum.com forward slash go. There you’ll find the ultimate guide to supply chain security, an on-demand webinar I presented called Unraveling Digital Supply Chain Threats and Risk, a paper on the relationship between ransomware and the supply chain, and a customer case study with Digital Ocean. If you’re interested in seeing our product in action, you can always sign up for a demo at Eclipseum.com forward slash go.
Joining us today, we have a special guest. Evan Dornbusch is a former NSA operator and CEO and founder of Desired Effect, a marketplace for zero-day exploits established in 2025. Evan is also the host of Hackers on the Rocks and has appeared previously on the show. Evan, welcome back to Below the Surface.
Evan Dornbush (02:07.295) Yeah, thanks for having me back. Appreciate it.
Paul Asadoorian (02:09.442) It’s nice having you dude, your entrepreneurial spirit is alive and thriving. And since we’ve last spoken, you’ve created a company. Why don’t you give us a little bit, Evan, about your background and how and why you created your new company.
Evan Dornbush (02:25.105) man, I can go on for that. Feel free to heckle too. I think background started career at NSA on the offensive side of cyber. long story short, there was a moment in time when a bunch of us recognized that we would have more of an impact on mission outside the building than inside the building, particularly in terms of.
Paul Asadoorian (02:26.816) Mm-hmm.
Paul Asadoorian (02:43.926) Yeah, I’ve heard that from more than one person that said three-letter government agency.
Evan Dornbush (02:51.295) Yeah, I think we were interested in initial access and doing that kind of research requires facilities and obviously secure facilities that I think the definition of that means different things to different people. at the time, know, everything was starting to become smart, which meant everything had some internet connection to it and probably one or more radios in it. And
Paul Asadoorian (03:03.647) Mm-hmm.
Paul Asadoorian (03:14.018) Mm-hmm.
Evan Dornbush (03:17.547) network devices and radio devices are really hard to get into a government secure facility. There’s just a lot of paperwork involved. So maybe a half dozen of us or so we kind of all.
Paul Asadoorian (03:24.706) Sure.
Evan Dornbush (03:28.959) rallied up and did some splitsies. left governments. We literally founded a company that was in the parking lot of a shopping mall, which would enable us to go to the Best Buy and go to the Apple Store and just pick up stuff, tear it apart, figure out how worked, and then license those research products out to people that needed to know.
Since then, I’ve done a couple other startups. The latest one we’re calling Desired Effect, which actually builds off that first model of empowering the vulnerability research community to take action and to stay engaged with research and in many ways to monetize their research.
Paul Asadoorian (04:11.542) So what is an exploit marketplace in the way that you’ve envisioned it, Evan?
Evan Dornbush (04:17.994) Yeah, that’s a good question. think traditionally, if you look at like the last 20, 30 years, the vulnerability research community has had a hard time.
monetizing their findings, right? And so, original approach was let’s go straight to the vendors and tell them there’s an issue. And you would think that they would be welcomed with open arms. And in fact, they’re often met with cease and desist orders and all sorts of legal threats. I think we’ve come a little bit of a long way. I don’t wanna say a long way. I don’t wanna say a little bit, maybe just a medium way beyond that. But right now to monetize the efforts of research
Yeah.
functions, individuals are essentially left with not great options, right? From their perspective, they can go to Bug Bounty, which has defined scopes, defined payouts, and now there’s a bureaucracy behind it. Or a lot of times what we see is, speaking, researchers will either pocket their stuff, just have stuff sitting on a hard drive in their basement somewhere, or they’ll try and sell it to whoever doesn’t, whoever basically says, I’m at a trade show, you’re at a trade
Paul Asadoorian (05:12.843) Mm-hmm.
Evan Dornbush (05:31.117) show, you know, I’ve got a Manil envelope full of cash. Don’t ask too many questions. And none of those are really great options. And so the vision for desired effect is to provide great options where no great options currently exist. And so in our marketplace, researchers can set pricing for what they think their time and energy is worth. They can determine whether they want to be bound to an NDA or whether they want to reserve the right to claim credit for the discovery later. They
Paul Asadoorian (05:39.618) Mm.
Evan Dornbush (06:00.96) reserve the right to dictate who they will or will not sell their research to for whatever moral or ethical reasons they have. And in addition to selling the exploits, which we can talk a little about the mechanics around that, one thing that we’ve determined is,
Paul Asadoorian (06:06.391) Mm-hmm.
Evan Dornbush (06:21.83) You can also sell the awareness of the exploits and make just as much money without having to necessarily disclose all the mechanics of a bug. we believe, and our hypothesis through Desired Effect is the number of defenders far out, you know, outnumbers that ways the number of operators, of offensive operators, criminals in both manpower and in budget collectively. And most defenders don’t really care about the exploits. They just want to know where they’re
risk is and what they can do about it. And so we provide an act, a mechanism where those defenders that are responsible for maintaining, you know, critical uptime for the stuff they’ve purchased, um, they can get actionable, you know, uh, mitigation reports from the researchers who don’t have to necessarily disclose the techniques.
Paul Asadoorian (06:52.832) Yeah, right.
Paul Asadoorian (07:12.276) Mm-hmm. Yeah, I mean it’s similar to ZDI. Is that true?
Evan Dornbush (07:15.754) Yeah, I believe so. think differentiation between CDI and us basically stems down to scope and time.
I think ZDI is a fantastic entity and I’m really glad that they exist. They’ve done a lot of positivity within the community. And there are constraints that ZDI imposes, right? Here’s our contests, you have to fit this technology group, maybe this particular bug class and you’ve got certain timeframes. With us, we’re more of an open market, let the free market decide kind of a model, but the same concepts apply.
Paul Asadoorian (07:39.394) Mm-hmm.
Paul Asadoorian (07:51.585) Now, when does disclosure happen at some point? Or is that on a case by case basis? Because I’m a little concerned that I find it say I find a vulnerability, and I go sell it on the marketplace and like disclosure never happens to the vendor. Is that is that something that’s that’s okay? Or is it only if I get in trouble, and the vendor won’t do anything about it or both?
Evan Dornbush (08:12.958) Yeah, so with our model, the intent is for the seller, the researcher, to have control and a voice at that table, which to your point, Paul, doesn’t really happen today. It’s more of a take it or leave it, and these are the terms. And so we find some researchers adamantly want to, again,
reserve the rights to claim credit for the discovery later. Some are very adamant that action has to take place and others don’t necessarily, it’s not a priority for them. So it’s really on a case by case basis, but the researcher sets that pace.
Paul Asadoorian (08:48.384) Okay, so it’s up to the researcher to disclose or not disclose and handle the disclosure process, not your company.
Evan Dornbush (08:55.838) Well, we’ll handle disclosure. I think there’s a difference between transacting the intellectual property and the coordinate disclosure process. Even our buyers, like defenders again, like if someone has made the business decision that like, here’s our brand of switch, here’s our make and model of router, here’s our firewall or our mobile phone or printer, whatever, right?
Paul Asadoorian (08:57.762) Mm-hmm.
Evan Dornbush (09:16.938) Those entities, they just want to know what to do about the flaws and get the information that matters most to those who can do things with that information, whether that’s advisories, whether that’s patches, whether it’s YARA rules or signatures, it kind of all is exploit dependent. But one thing that the defenders don’t want to do is then manage the coordinated disclosure process. They’ll typically assign that to us and we’ll do it on everyone’s behalf.
Paul Asadoorian (09:39.459) Mm hmm. Okay. Well, because it how does that impact the value of the exploit, whether it’s been disclosed or not, right? I would think there’s a time window where this exploit is has a tremendous amount of value, right? And that value goes away. I mean, not entirely, but a lot of it goes away once a patch is issued and defenders can apply the patch and negate the weapon basically, right? So how do you handle that that process?
Evan Dornbush (10:09.288) I don’t know that we necessarily need to. mean, I think again, it’s an open market and the same argument is, know, if a researcher sets a very high dollar amount and there’s no buyer for that price point, then what, right? So I think having an open, transparent marketplace where analytics can be tracked and some of the trending analysis can go out is valuable to…
Paul Asadoorian (10:22.913) Mm-hmm.
Evan Dornbush (10:30.558) both the research community and the defensive community and frankly the offensive community as well. But I agree with you. think the value of a zero, we’re all coming back from Vegas, So like Hacker Summer Camp, the value of a zero day is, the analogy is it’s a magic trick, right? And the value is the secret, right? And if I know how the bunnies get pulled out of the hat or how the lady gets cut in half, that trick loses its value and zero days are no different, right?
Paul Asadoorian (10:41.75) Mm-hmm.
Evan Dornbush (11:00.492) valuable when very few people know how they work and they decrease in value the more the community learns. And again, I think that’s part of the social good that we’re trying to pull off where right now the model that we see and have seen for 20, 30 years has been researcher finds a thing.
Paul Asadoorian (11:03.212) Yeah.
Evan Dornbush (11:21.77) can’t or doesn’t know what to do with it responsibly and so just sells it to a criminal, criminal weaponizes it, know, operationally uses it and now you have victims all over the place. Only at some point through a misfire or repeated misfire does the defensive community get to confirm that there’s an exploit and then issue advisory and you know patches and all that other jazz. What we’re trying to do with Desire in fact is short circuit that where now the researcher has a non-criminal avenue to monetize their discovery and maybe
weaponization never happens, right? But even if weaponization were to happen, because secrets are hard to keep and a lot of researchers now work in teams, the quicker we can get this information out to the defensive community, safer we’ll all be. Everyone’s collective risk is reduced in this model.
Paul Asadoorian (12:11.818) It’s interesting when we talk about network appliances and VPN appliances, how important this is to have that prior, that knowledge of is there an exploit, is there a vulnerability and exploit that I don’t know about? Because these devices are just, we’ve talked about this on the show a lot, right? These devices are just hanging out there. Typically I’m going to generalize very poor code quality, contain remote code execution vulnerabilities, knowing that attackers could get a hold of this.
is that’s the value really to your product, right, it sounds like.
Evan Dornbush (12:44.062) Yeah, I think the marketing folks came up with like the earliest possible intelligence on existing risk that you already have. it’s a lot of words, but it’s true. think, I mean, how…
Even today, someone asked me to comment in press about like, you know, this zero day bug happens. Like, what do we do? Like, well, right now it sucks, right? You wait for a patch and then you patch. And the reality is it’s not really a new zero day bug. It’s new to you because you’re just hearing about it for the first time because people are losing their minds. But it’s been known about for a while because the attackers have had it they’ve been using it. And it’s only now that it’s coming to top of mind. so, you know, the
reason defenders are 10 steps behind attackers is because attackers engage the vulnerability research community and they partner and they value and buy this information and then they get a lead, they get a head start and defenders are always 10 steps behind. What we’re trying to do is give defenders the same ability to participate in the economy that’s already happening. We’re just surfacing it so that it’s not on the dark web or happening in hallways of trade shows anymore.
Paul Asadoorian (13:46.327) Mm-hmm.
Paul Asadoorian (13:51.53) Right. Sorry, Chase, Vlad, you guys have questions, comments.
Chase Snyder (13:58.484) I’m reading your manifesto right now and I’m really enjoying the notion that the…
Evan Dornbush (14:02.343) Yeah
Chase Snyder (14:06.312) the RSA sort of Super Bowl of sales and marketing. It is strange that such a foundational when I was a kid, I always wondered why aren’t farmers more rich? They control an asset that literally everybody needs. And it’s because when you have something super valuable like that, you get slotted into a sort of like exploited. It’s like, you can’t you can’t let them take control. You got to like slot them into the sort of exploited part of the stack. So this is this is a super interesting approach to me. But I’m curious.
Paul Asadoorian (14:18.498) Right.
Chase Snyder (14:35.92) I can see a sort of arbitrage opportunity here for these vulnerability. People discover the vulnerabilities or the exploits where they put it on here and basically generate evidence of the value, like jack it up to be like, I have an offer for this and then use that as leverage. I mean, that would be, you know, a very black hat thing to do, but that would be, what, what’s your sense of like,
Do the vulnerable, do people who are discovering these things want a specifically like ethical outlet like this or not really care? What’s the level of like how much doing the right thing or doing it in a responsible way is influencing their behavior right now?
Evan Dornbush (15:27.422) Yeah, I it’s hard to stuff everyone in the vulnerability research community into like one, here’s what everyone thinks. However, I believe just from being a bug broker for 20 odd years now, one of the things that we were learning with Desired Effect and putting into practice is, again, the ability for…
Chase Snyder (15:35.796) Sure, fair.
Evan Dornbush (15:49.963) researchers to actually have a voice at the table and dictate the terms rather than just taking it or leaving it. so, you know, look, some of our customers are very explicit where they don’t they only want the capabilities going to offensive units in like law enforcement and military and they don’t want the defensive refining about their discovery. And that’s that’s there. That’s fine. We support that. I think in terms of arbitrage, like we’re dealing with hackers. So like, people are going to play games a little bit. But, you know, by far and large, the motivations are
difference. know, again, I think some folks, some folks just want stuff to get patched. Some people want to use their, you know, their weekend discovery to maybe start their own security practice. And it’s the notoriety that’s important to them. Other people, we’ve definitely worked with like large groups, it’s like 10 friends that just do this nights and weekends and have been doing it for years. Now they’ve just got this like,
volume of stuff and they just kind of don’t know what to do with it. But they know that they hate people and they don’t want to do sales and they don’t want to do marketing and they just want to stick on keyboard and that’s great. throw your stuff in our marketplace if we find a buyer. Great. And if not, you know, you know.
Paul Asadoorian (16:50.72) Ha ha ha ha!
Paul Asadoorian (16:58.4) I just want to hone in on that. There is, I believe, a lot of social interaction, sales and marketing that has to happen when you have discovered a vulnerability and you have to disclose it. You have to basically sell it to the vendor as this is a real problem, which kind of leads me into my next question of, you know, we’ve seen historically and very recently where a researcher makes a discovery and the vendor disputes that claim and the security community kind of gets split.
some people think it’s real, some people think it’s not. Do you provide a service where you can help validate that vulnerability and exploit Evan? Because I feel like that’s something we need right now.
Evan Dornbush (17:38.133) We do, and that’s our core function. So the researchers at some point, they start by saying they’ve got something and that’s just words on a page, right? And we are selective about what we enter into the marketplace because we want it to have commercial value or else it’s not worth really anyone’s time. And in that process, it has to be real, yeah.
Paul Asadoorian (17:40.511) Mm-hmm.
Paul Asadoorian (17:48.066) Mm-hmm.
Paul Asadoorian (17:53.795) It has to be real. has to be real. mean, elastic, know, yeah, but so have you looked at the elastic EDR vulnerability and bypass? They’ve done a two part blog post series. Elastic says, no, it’s not a vulnerability. Researcher says, no, it is a vulnerability. And I find the community somewhat divided on that. Most people leaning towards like, I don’t think this is real. But from a threat perspective, we need to know the answer to this. And I think if folks like you can help us answer that.
That’s huge value.
Evan Dornbush (18:24.83) Yeah, and again, don’t trust me for a million reasons, right? But I think you don’t need to take my word on any of this stuff. Like at the end of the day, it’s free market principles and we’re not trying to out-tech this and we’re not trying to out-spin this. so I have an example. So we have one seller in our marketplace who there is an MDR technology that in the strictest sense of definition,
Paul Asadoorian (18:28.418) Mm-hmm.
Paul Asadoorian (18:33.953) Mm-hmm.
Evan Dornbush (18:50.26) this researcher has not figured out an exploit to it, know, write code to attack code and have an impact on a particular set of technology. However, the MDR is obviously sharing with the world, like we’re monitoring your network on your behalf and he has come up with a technique to blind that product. So everyone’s seeing like green thumbs up across the board, green check marks across the board. And is that an exploit? No, there’s no buffer overflow or, know, where no one’s manipulated.
Paul Asadoorian (19:18.837) Mm-hmm.
Evan Dornbush (19:20.274) and pointers or anything. But if I was a customer and I was under the assumption that someone’s monitoring my network because I’m paying them to do it and lo and behold they’re not capable of doing that, to me that’s an exploit right in the sense that it is a risk to my business. And so again am I right or perhaps the vendor is right and that it’s not a bug therefore it’s not a bug, let the market decide if someone’s going to pay for these reports to figure out what to do about it then there’s at least there’s value and it goes back to the researcher so they can
Paul Asadoorian (19:36.332) Mm-hmm.
Evan Dornbush (19:50.124) You know, their time has been incentivized and they can go, you know, perhaps build off of it and find the next great thing, you the next time.
Vlad Babkin (19:58.863) So, also speaking of that, how do you decide who gets to join your platform as a buyer? Like, obviously, researchers just sign up and sell stuff, but yeah, the other end of the question is a pretty good question, actually.
Evan Dornbush (20:13.608) Yeah, we get that question a lot and I wish I had like.
I can give you a true honest answer. don’t know how to spin this up the way that I’m sure some people would like it to be gussied up. It’s hard. It’s probably our hardest challenge. know, we want the information to be available, right? So we want to have signups and have people coming through. And again, most people on our platform, most of our clients do not buy the exploits. So that I think makes it a little bit easier. the mechanical answer to your question of that is like, we’re a US based company. So we will sell to anyone that we’re authorized to sell to as a
Vlad Babkin (20:25.23) Ahem.
Evan Dornbush (20:48.618) US company. So State Department has their like entities list or certain people we can’t or want to business with. like at the end of the day, if a flower shop wants to figure out like that their cash registers have problems like great. again that that having that information make its way out is is is collectively a good thing when it comes to purchasing the exploits. We want to know who you are like we. So one of the things we do is like the buyers and the sellers on our platform are anonymous to each other. But we do our best to know
everyone because we want to make sure that again if they’re a flower shop if they claim to be a flower shop are they actually a flower shop right so that way when the seller says like I’m not gonna sell to commercial entities okay flower shops out if they say that they’ll only sell to this particular kind of you know the original vendor great if they’ll only sell to this nation’s government but they won’t sell to that nation’s government great we you know we really want to marry that up so right now I guess
Paul Asadoorian (21:34.57) Yeah.
Evan Dornbush (21:48.501) you know, it’s a manual cumbersome process of taking someone out to dinner and getting to know them and then having them host me in their office. doesn’t scale, but it works pretty well.
Paul Asadoorian (21:56.803) What what if yeah What if Evan a cyber security company wants to subscribe to gain intelligence to build it into their defensive platform? Is that is that in play? Okay
Evan Dornbush (22:05.854) Yeah, absolutely. Again, it’s not our information. So I’m trying not to gatekeep it is the researcher’s product. is their intellectual property. We’re simply providing the conduit. And if the seller is open to that, the seller is open to that, right? Because again, to your point, Paul, like there are definitely…
there are definitely a lot of products that do scanning and monitoring and mapping and having this overlaid would absolutely make those products better. And again, if the seller’s cool with it, the seller’s cool with it. There are also companies that, you
Paul Asadoorian (22:33.57) Mm-hmm.
Evan Dornbush (22:40.226) would want to buy, would personally want to buy the exploits and package it into their thing so that they can go either do pen testing or red teaming or in some cases have a wider offering that they can go sell however they want. And some researchers are cool with it and some are not.
Paul Asadoorian (22:55.498) Right. It reminds me of Dave, I tell his immunity sec and he had, was it have law or someone created the exploit pack for it. And it was like exploits for like kind of weird esoteric enterprise software that you could buy a bundle of. And it was exploits you wouldn’t find anywhere else. Right. And it kind of legitimized the, need to go find an exploit for this, but I want a working one. I want a validated one. So I’m to pay money to get this exploit pack.
Evan Dornbush (23:21.8) Yeah, and one thing that we do offer, which has surprisingly been very important, more so than I thought it would be as we start to have dialogue, is the ability for our subscribers, our defensive or offensive, but our consumer customers to anonymously seed research topics to the research community. We’ve definitely worked with a number of financial institutions that, for better or for worse, are reliant on legacy technology for which they’re
Paul Asadoorian (23:44.17) Interesting.
Evan Dornbush (23:51.717) are no manufacturers anymore, right? And so those things should get powered down at some point, but right now no one can figure it out and they don’t want to be caught in a situation where there’s a bug that they find out about the hard way. so again, having that first access to the intelligence is…
Paul Asadoorian (23:52.693) Yes.
Paul Asadoorian (24:06.21) Right. Because we’re finding out about them once they once they land in the wild. We all know about it. Right. And I just wrote a blog post that published today about end of life devices in this problem that we’re in. one of the issues that I don’t know if I specifically address in the post is that when the devices end of life, attackers are going after it and we only find out that they’re weaponizing exploits and going after it until something gets popped and someone does forensics on it.
I’m like, well, that’s too late. Like now, like they’ve already, they’ve already built a botnet of 2000 devices and they’re scanning the internet for more vulnerable things and just automatically compromising. Like once the cat’s out of the bag, attackers are moving faster than ever before.
Evan Dornbush (24:52.308) Yeah, mean, there’s a huge gap that exists between like what you think you’re buying and what you’re actually getting. like that, the whole cybersecurity industry exists to cover that gap. And, you know, sometimes it’s alerting and monitoring.
Paul Asadoorian (25:00.16) Mm-hmm.
Evan Dornbush (25:07.722) and response, but I think we want to get past that as a society. I think we want to be more proactive and again, get ahead of these things and don’t find out the hard way, right? A researcher who wants $10,000 is a hell of a lot cheaper than if that bug gets out to 15 enterprises each for a $10 million ransom.
Paul Asadoorian (25:27.584) Right. Yeah, no, it’s 100 % true and it’s interesting that the end of life devices that attackers are going after and their tactics now, Attackers are moving faster. They’re ahead of the curve, I think more so than the defenders in terms of they’ve already mapped the internet to know where all the stuff is. And even though there hasn’t been a new vulnerability or exploit associated with it, they already know where that stuff is.
so that when they do come across one or discover one on their own, they don’t have to map the internet, it’s already done. They’re doing patch-diffing earlier on in the process too. And they’re taking, there’s at least two cases I can think of in my head where the vendor said, this is not exploitable or this is not being exploited in the wild. And it turns out that it is exploitable. I think Avanti had a flaw and they were like, no, this is just a bug.
Evan Dornbush (26:02.399) Yeah.
Evan Dornbush (26:05.953) Yep.
Paul Asadoorian (26:25.139) not a vulnerability and attackers will like hold my beer. No, it’s a vulnerability. We’re exploiting it. Now it’s in the wild. And the customers are left going, well, we didn’t apply that patch because there was nothing pressing security wise except there was. And I feel like companies like yourselves can help us with that problem to get ahead of a lot of these things.
Evan Dornbush (26:28.137) Yeah.
Evan Dornbush (26:44.554) Yeah, I we hope so. mean, think there’s a lot of things come to mind, right? More authoritative sources than just me spouting stuff on a podcast have come out and said, yeah, what used to take, you know, attackers, you know, months, if not years to, you know, reverse engineer and produce an exploit for is now down to, you know, minutes and hours and automation and AI are only going to make that a lot shorter. I think the other part, to your point about end of life, you know, I gave a talk last summer.
at B-Sides Las Vegas about people always ask me like how much is a bug worth? And you know, it’s not all I think the analogy I gave in the talk, I’m going to misremember this. So if you’re at the talk, I apologize. But like it was like, you know, the number one EV maker, electronic vehicle maker in the world at the time, I it seems to be changing. It was Tesla, right? Never like, Teslas are expensive. They’re amazing. But like
terrorists don’t drive Teslas, right? And so a bug for, know, a telematics unit in like a Hyundai or a Honda are maybe more valuable to certain audiences than the latest and greatest, right? I think, you know, Windows 95 bugs might in fact be more valuable than a Windows 11 bug because you just, it just depends what your objectives are. Again, going back to my defensive customers, like.
Paul Asadoorian (27:48.757) Mm-hmm.
Paul Asadoorian (27:57.365) Your target, yeah.
Evan Dornbush (28:00.907) You would think that the banks would have modern technology and a lot of them do, but a lot of them also have old mainframe systems and they’re just as critical. And so the value of a bug, like let the market decide it, you know? So.
Paul Asadoorian (28:06.891) Mm-hmm.
Paul Asadoorian (28:14.259) It’s interesting in some of older legacy gear too, they don’t always issue CVEs. I think it was Jericho, Brian Martin was writing a post. And as an example, he brought up AIX, which is a great tie into like large financials that may have AIX sitting in the background. But for whatever reason, like certain edge case, I don’t want to call AIX edge case OS, but you know, it’s not as popular as a lot of other operating systems today. But the CVEs are there kind of like whatever, like we’re not issuing CVEs for that.
But if I’m a large financial with AIX, I want to the entire threat landscape and how do I get that information.
Evan Dornbush (28:49.864) Yeah. Brian also does a really good job of shitting on CVSS and EPSS and all these like scoring mechanisms and any vulnerability management prioritization in that, you know, yes, you you can come up with some kind of rubric where this bug is scores a 10 out of 10. It’s serious. And this bug scores a, three out of 10. But if I’m an attacker, I just want to get in and I don’t care how sexy the bug is, right? If it’s going to get me in with it, don’t, I’m not looking at those CVSS score. If it’s a three, but it gets me in then, then that’s valuable.
Paul Asadoorian (28:54.411) Yep.
Evan Dornbush (29:19.788) And again, I don’t know, like let, you know, I don’t know. It’s hard. That’s a harder problem when you’re trying to determine, you know, which, whether, and to your point, Paul, like, has it really been patched or is it just a patch that we think is, you know, I don’t know. It’s tough, tough world out there.
Paul Asadoorian (29:38.465) Sorry Chase, you have a question. Chase and then Vlad.
Vlad Babkin (29:40.035) else rune.
Chase Snyder (29:40.884) Yeah, I just realized there’s a hand raise effect in here. So we’re going around. Yeah, me, me up up next. OK, so you’re talking about the kinds of organizations that will buy this. And I’m curious if you so far as far into it as you are now are getting any sort of insights that you feel like are valuable beyond just running this business about the sort of offensive and defensive landscape, looking at who is buying.
Vlad Babkin (29:46.607) Okay.
Chase Snyder (30:09.286) what kind of research or who’s seeding what sort of research needs because that feels like a whole other market intelligence feed that you could, I don’t know whether your agreements with these buyers and sellers would allow for this, but that seems like a market intelligence feed that you could build and sell or certainly use to make this business.
work better. But I’m curious, like, who’s doing the buying and selling? What kinds of organizations are, you know, spending the most money or the most interested in this?
Evan Dornbush (30:43.582) Yeah, yeah, good questions. think, yes, I think I always like to akin us to like one day being like Zillow, but for exploits, right? Like, you know, this is a popular neighborhood, right? You know, here’s the trends of the last 90 days. 800 people have looked at this thing and five people have bid on it or whatever, right? I think we’re not there yet. You know, I think we need a little bit more, more vibrancy, but that’s coming. And, you know, just again, having the trends.
Chase Snyder (31:00.079) Yeah.
Evan Dornbush (31:11.946) be transparent and be available, think would be a fantastic thing for the community. Like even just, you know, how many exploit writers are there? What is the average? Like there was a recent story for some, I don’t know, UAE based company that was like, we’ll pay $20 million for a bug. And everyone was like, that’s way too high. And I was like, maybe, but how do you know, right? So it’s really hard to get data when everything is like below the surface. Ah, good zinger there on like all these like gray markets at
you on the dark web and again, meeting in like back alley kind of, you know, it’s, it’s, it’s not good for the buyers. It’s not good for the sellers. It’s not good for, you know, the defensive community. It’s not good for the vendors when everything is like semi illicit. And I think by we’re finally past all this, it should be transparent, you know,
Paul Asadoorian (31:57.942) Yeah, no, but I was just gonna go here, Evan, like I think it’s a great point and there’s a great case where Black Lotus, right? And this is what I want help with. So we observe Black Lotus being sold on the whatever we call it, right? And we don’t always wanna say dark web, because it wasn’t the dark web, it was some hacker forum somewhere. And I always struggle with like, what do we call that, right? But it’s, I call it like the hacker underground for lack of a better term. And I’m like, well, that’s great. But I’m like, am I gonna go try and purchase it from that person?
Not knowing if it’s real or not. They’re making a claim. They’re putting a price on it. I don’t know if it’s real. don’t necessarily I’m not comfortable doing that transaction because what do they want Bitcoin? they how much do they want? How do we do the transaction? All that stuff. But if I can come to a commercial marketplace, I want to see stuff like Black Lotus there. I want you to do some level of validation and I want to be a subscriber and go, that is that is a real threat and we need to work on that.
Evan Dornbush (32:56.83) Yeah, and we’ve taken the angle that we’re going to focus on the zero-day exploit side of it. There are other companies that are out there that are kind of doing similar things for ransomware samples or for hacker forum, like, you know, buying those old accounts and like, you know, illicitly.
Paul Asadoorian (33:03.456) Yeah.
Evan Dornbush (33:18.268) you know, unless it’s not the right word, like joining those forums from, know, and then like basically like spilling the beans on all the stuff that who’s in there what are they saying? Like joining the hacker forums under false pretenses, go figure. And I think those are all good things, right? I think at the end of the day, what’s going to actually put a dent in cybersecurity as a problem set is making it more expensive for criminals to be criminals. you know, governments can impose fines in jail
Paul Asadoorian (33:27.36) Yeah.
Evan Dornbush (33:48.135) terms and stuff, like the private sector needs to step up and find ways to just make it more expensive. And I think by raising the cost in terms of time, in terms of money, terms of, don’t know, some entities have been really good at just burning infrastructure, and it takes time and money to rebuild all that. Like anything that’s gonna de-incentivize someone from being a criminal is again a collectively good thing for all of us.
Paul Asadoorian (34:14.816) Mm-hmm.
Paul Asadoorian (34:18.421) Vlad, did you have a question in there? Sorry.
Vlad Babkin (34:22.177) Yeah, so…
One, like actually two things. One thing is to drop in, like, attackers don’t even care if it’s just one exploit or like one vulnerability or a whole chain of them that leads them to take over the device, to just throw in a little bit more to the previous conversation. But there is also a question. Wouldn’t this conceptually like business just impede defensive effort as well? Like attackers, like right now they have an option to A, exploit them on the black market and go illegal.
or B, sell it to the defender, right? So there isn’t really an option C right now. So what you’re doing is opening up an option C, sell it to whomever will buy it, but the researchers have the option to say, no, we don’t want this to go to the vendor. So this would mean that quite a few vulnerabilities will just never get fixed because of this, or not fixed anytime soon, which would risk, especially if the buyer of the exploit has a leak.
in the future which sometimes happens, even with the best of us.
Paul Asadoorian (35:26.165) Mm.
Sorry, Evan, your typing is very loud. Just FYI.
Evan Dornbush (35:33.278) I’m trying to come up with some good responses. Those are really provocative questions. I I think, and I appreciate that I’ll mute next time, but I think, I mean, there’s a lot in there. think.
Paul Asadoorian (35:35.497) Yeah.
Evan Dornbush (35:51.455) The reason why researchers don’t want to go to vendors a lot of times is because again, the vendors treat the researchers like demons and with a lot of disdain and they don’t want to sit at one end of a table all alone. And on the other side of some corporate board table is like 15 lawyers screaming at them and telling them this is how it’s gonna be. And so it’s a very asymmetric conversation. And what we’re trying to pull off a desired effect is give the researchers some advocacy
some support, not that sorry that we’re the seller’s agent in an IP transaction, but essentially that is exactly what we’re doing, right? Right now the corporates have all the cards and the researchers are going in as themselves, right? Totally without representation. And so I think that there’s a gap in the marketplace that we’re filling for that, which again gives the researchers,
more voice and more say in the process and just again better options. One thing I do want to push back on a little bit that is at least in my experience and I think this again lends itself to why I’m willing to commit to this kind of a cause.
A lot of times, not always, but a lot of times the researcher who uncovers the flaw is not the same person that’s operating and using it. so, again, the researcher who finds the flaw can sell it to an unknown entity just for, again, for dollars in an envelope, and then that entity can choose to do crime with those things. But the researcher, him or herself, often is not actually using these technologies. so, again, opening up option C is
super valuable because now they’ve got a place to go where they can get real value that doesn’t necessitate them to do anything that would be unethical in their minds.
Vlad Babkin (37:47.532) That’s actually a valid point, if you think about it like that. So there are like researchers who do this and then use it themselves, but probably that’s not all of them. By far not all of them.
Evan Dornbush (37:59.051) Yeah, even, I mean, I’ve definitely over my, again, 20 plus career, your history in an adjacent to the Intel community space, like there’s a lot of talent inside, you know, a lot of different nations governments, but to say that any nation has a hundred percent of the talent pool and a hundred percent of the time to flesh out these things is crazy. Like there has to be.
some kind of partnership with the private sector to augment and
Yeah, think it’s just a global pool of talent. And that’s important to recognize too.
Paul Asadoorian (38:39.585) I think there’s a good opportunity for, let’s just say manufacturers as an example. And let’s talk about vehicle manufacturers, right? Cause I’ve been following the, you can unlock a car with the Flipper Zero story very, very closely. And the recent headline on that is a couple of car manufacturers were like, there’s no problem here. And they’re just hand waving. Whereas I feel like they need to be more proactive and they need to come to folks like you and be like, Hey, I want to know about any research that’s happening that allows people to
Vlad Babkin (38:39.812) makes sense.
Paul Asadoorian (39:09.343) bypass any vehicle security, right? And they should want to get ahead of that, accept it and fix it. But that’s not always the case. But here they have a perfect mechanism now to do that. I feel like they won’t use it without some coercion.
Evan Dornbush (39:23.506) Yeah, and again, think part of the reason that makes us attractive, like part of the reason why defenders are interested in us, frankly speaking, is, you know, they…
they know that there’s risk, but they also know that they’re not in control of the source code. so when a researcher submits something through a, you know, a VDP program, like Katie Moussor says all the time, I love it. Like the D in VDP vulnerability disclosure program is disclosure. And we’re not doing that anymore. Everything is just under like all these gag orders and NDAs. so you, you, the, next generation of researcher and the next generation of operator and consumer, like there’s less actual tangible information where people can learn it and do, do, do better.
Paul Asadoorian (39:52.691) Yeah, yeah.
Evan Dornbush (40:03.444) And so I think there is an element of pressure where a defender could say to their vendor, like, hey, you probably should have bought this. You didn’t. I bought it. I’m not going to renew my contract with you unless you make me whole. And fix your shit. I’m not really a stock market investor kind of guy, but every so often I peek at some of the share value and the trends of some of these very large security device.
Paul Asadoorian (40:19.445) Mm-hmm.
Evan Dornbush (40:33.364) manufacturers and I try and correlate it with the number of bugs that have been disclosed over the last couple of weeks and it’s massive and I don’t understand because these are secure in some cases just I mean I there are not everyone everyone
trying look at the best of everything, like there are just not everyone, but there are bad vendors out there just producing shit product. And, you know, at some point there needs to be a mechanism, a market mechanism that informs and allows people to take, you know, to respond accordingly, like, you know, to change the, again, change the brand of the, to your point, Paul, like the VPN concentrator that they’re using to a different brand that maybe is more responsive to the needs, you know.
Paul Asadoorian (41:14.177) Mm-hmm.
Paul Asadoorian (41:18.09) Yeah, I mean, there’s people doing that. I mean, I’ve spoken with people, large financial institution that and they they won’t name the vendors, you’re right, even to me privately, but they’re like, based on security, we’ve absolutely we’ve changed vendors, right? It’s specific to VPN appliances. You brought right? Exactly.
Chase Snyder (41:32.062) probably can’t guess which one it’s which one really difficult to guess. This is so fascinating to me, though. They’re like, feel like what you’re doing is fundamentally addressing a social dynamic. It’s like the social nature of how the asymmetry between the big companies that are incentivized to hide and downplay the nature of the vulnerabilities in their things, but also like, I don’t know.
You know, Chase Cunningham, big security guy, been on the pod before, says, he talks a lot about buy the breach. And maybe he didn’t come up with that. don’t know. He talks about it a lot where it’s like the stock takes a hit when there’s a big breach. You basically buy it on a discount because any of the big blue chip cybersecurity vendors, they’re going to bounce back. And that’s been over and over. like, I keep not doing it being like, why didn’t I do it this time? It happens every single day. Always come back. And that sort of.
Evan Dornbush (42:09.662) Yeah.
Chase Snyder (42:29.524) And like you talk about NVD and CVSS and stuff where it’s like very consistently vendors will publish a lower risk score than other organizations that publish the score. it’s like all the incentives are lined up for them to minimize, to say like, that’s not accessible. If you deployed this product as instructed in the manual, then nobody could ever exploit that. It’s like, well, who has ever once deployed
Evan Dornbush (42:44.627) Yeah.
Chase Snyder (42:56.308) of VPN or a firewall 100 % to spec. It’s just not, reality has a lot of detail and mitigating factors that make it not happen, but yeah.
Evan Dornbush (42:59.72) Yeah.
Evan Dornbush (43:07.188) You also bring up a good point there, Like this score is as an 8.1, but it would be really better for me if it was an 8.0, because I’d have less work to do or an 8.3, because my payout would be higher or whatever, you know, I don’t know. I’ve always gravitated towards companies that are doing…
Paul Asadoorian (43:15.35) Yeah, right.
Evan Dornbush (43:24.86) less tech and more people. And so I think, least for me personally, this marketplace concept is kind of like right in my just fascination levels because I think since the dawn of time, humans have always tried to figure out a way around technology and we keep responding with more and more technology and that only introduces more attack surface and more stuff for people to experiment and play around with. if it was a techno…
If it was a technological solution to cybersecurity, it would have been solved and invented, but it’s not. It’s an economic problem. It’s a people problem. And so, you know, we’re trying to…
actually have a meaningful dent in cybercrime, again, through people, right? Changing the economic incentives for criminals, changing the economic incentives for researchers, a firewall is not going to do that. And the device that you now put in front of your firewall to make the firewall better is not going to do that. And the AI to analyze the firewall logs is not going to do that either, right? We can’t keep thinking that more tech in the tech stack is the problem. To your point, Chase, we don’t have enough people to read the manuals and operate these things as the manufacturer recommends them.
Paul Asadoorian (44:19.253) Mm-hmm.
Evan Dornbush (44:29.417) So why am going to buy more product to solve it? It’s it’s it’s a you’re just digging that hole deeper.
Chase Snyder (44:35.1) Yeah, we talked recently about the overall if you take a sort of systems thinking approach to it, any product that you’re bringing into your environment. Firewall is a great example. It’s like the point of it is to reduce risk, but inevitably you are also introducing new risk. And it’s super hard to know, given the other circumstances of your environment, whether the risk that is mitigated is greater than the new risk that is added because.
Yeah, the vulnerabilities are not all disclosed. You don’t have access. We talk a lot about how you can’t instrument your firewall appliance for monitoring. And so you just don’t have as much control or visibility into that. And it creates this asymmetrical environment where it’s like, sort of like, okay, trust us that the guts of this thing are good and that it’s going to mitigate more risk than it introduces. And then, you know, the stories come out of those being the pathway for initial access.
or persistence, like, well, was it good for me to put that thing in? it like, or would I have avoided getting hacked if I didn’t have that vulnerability in there in the security thing?
Evan Dornbush (45:33.578) Hmm? Yeah.
Evan Dornbush (45:41.237) Yeah, that’s a good point.
Paul Asadoorian (45:41.474) Mm.
Evan Dornbush (45:44.073) I think one thing that we would like to do, this is a preview of what will probably be in a few years, I really enjoy playing poker and there’s a concept in poker of expected value, right? That is given the size of the pot of chips in the middle that you could potentially win, knowing how many cards are remaining that could improve your hand, like what’s the thing you should do? And I really want to build some kind of model like that into our system when we have enough data points because again, like there’s a free market side where again, the researcher puts their finger in the air says,
This is what I want to make me and my team whole for all the hours that we put into this thing. Got it. Now we know what your asks are. From the business’ side, is that ask a reasonable ask? Well, you’re going to compare that against, again, if a bad guy got this, what’s the damage that could happen to you? What’s the likelihood that you get popped in the first place? And then if so, what’s the impact? And is it a bug that’s just going to like…
Take your server down for a little bit or and and is that server like? Running your t-shirt factory in the middle of you know of Christmas season or is it just you know some you know like like
Evan Dornbush (47:00.014) and site, here’s your known cost to get this bug off market and just get it out of play for the attackers. Here’s the likely expected value of, again, if you were to be breached and then ransomed off of this thing and then multiply that by your likelihood of getting attacked, this is a good price. Just buy the bug and it’s
cost of doing business move on or the researcher wants $20 million but the fine is $5,000 and you roll the dice and you move on with your life. But having that data, being able to quantify return on investment and quantify risk reduction in dollars, think that matters. And again, to your point Chase, it’s really hard to do that if like…
I’m adding a firewall which will block some network traffic but introduce more operating systems. that’s a harder equation to map out.
Paul Asadoorian (47:56.832) Mm.
Chase Snyder (48:00.308) Yeah. I love, yeah. I love what you’re doing here. It’s like a very introducing a new, different dynamic into it, which reminds me a lot of the recent, there was the Coinbase ransomware where they were like, okay, they demanded a $20 million ransom. So we’re putting out a $20 million reward for anybody who can. It’s like, we’re going to give the money to the good guys that catch them instead of the bad guys. Same downs, same loss for us, but net impact way better.
Evan Dornbush (48:05.94) Thanks.
Evan Dornbush (48:18.473) Yeah.
Evan Dornbush (48:22.268) Love it. Love it.
Paul Asadoorian (48:27.979) Yep, Vlad.
Vlad Babkin (48:29.298) So I wanna drop a little bit of salt on this. This doesn’t really solve the core problem of not incentivizing the vendor to actually produce a very decently protected software. Like what we see is that a lot of vendors get constantly exploited. you know, I don’t wanna drop any names just to make some advertisement, but we all know that there are vendors which get exploit after exploit after exploit, where you can call it like a… If you make a, say, Slack channel…
Paul Asadoorian (48:51.522) Mm-hmm.
Vlad Babkin (48:58.706) you would call it something like an exploit of the day for this vendor, right? And the question is, this doesn’t actually become better and maybe write the software, because this way the buyer is just going to be buying the fixes non-stop, getting the service from the… that the vendor should be providing them.
Paul Asadoorian (49:01.953) Mm-hmm.
Evan Dornbush (49:20.01) Yeah, maybe. mean, I think part of it’s going to be a culture problem too, right? think if you’re in a business where, to your point, there’s a new bug every week and like…
at some point you got to come up with a better solution than just patch every bug as they come out. There just has to be something in the tech debt refresh CI-CD pipeline chain of magic that makes, which is expensive, right? That you’re now investing in developers to either build something or completely refactor something else. That’s a hard business decision when you’re trying to sell a commodity product on the shelves of Best Buy for $20 or less. And there’s a lot of competition in the hardware space now.
Vlad Babkin (49:49.372) Yep.
Vlad Babkin (49:57.618) eggs.
Vlad Babkin (50:02.163) Yeah. Yep.
Evan Dornbush (50:03.18) But I think the flip side is also true where again, you have researchers that have submitted bugs through other channels to the vendors and they don’t get patched anyway, right? And so now you have a problem where the vendors knowingly put their customers at risk and the researchers know like, hey, there’s a bug, they’re aware, it’s been 100 days and like.
Paul Asadoorian (50:16.692) Yeah.
Vlad Babkin (50:17.788) Yup, I’m not denying that either.
Evan Dornbush (50:28.99) do something and I, the researcher, can’t say anything because of this NDA that I’m already bound to and in some cases the altruism of, again, a VDP where the D is gone, there’s no disclosure, it’s just I’m gonna buy the bugs and shelve them and you can’t talk about it because I came to the table with a lawyer and you didn’t. That power asymmetry has to get broken up.
Paul Asadoorian (50:46.892) Right.
Paul Asadoorian (50:51.51) But what that does is it gives the attackers, the threat actors more time to find the same bug and create the same exploit for it. Right. And that’s always been my issue of like how many times in our history of hacking and cybersecurity has a researcher found something like I not a lot of this is public. Right. Like I talk to people and they’re like, like I found this thing to your point, Evan. Like I tried to disclose it, but I’m just kind of sitting on it because I have an NDA now and I can’t do anything about it. And now the clock is ticking.
threat actors is going to find that same thing and exploit it and as defenders we’re going to be in a crappy position.
Evan Dornbush (51:23.337) Yeah.
Evan Dornbush (51:27.336) Yeah, Vlad mentioned this earlier, right? Bugs are not just simple, you know…
Vlad Babkin (51:28.348) Yeah, some-
Evan Dornbush (51:32.583) ALF-1s smashing the stack for fun and profit, very simple, straightforward buffer overflows anymore. There’s chains. And what you have a lot of times is not the solo 15-year-old kid in the basement, but you have teams of people that are working in tandem, not necessarily in real life, but also across the internet sharing and swapping tricks and techniques. And to think that there’s not going to be an independent discovery of something is crazy.
Paul Asadoorian (51:56.449) Mm-hmm.
Evan Dornbush (52:02.696) I was talking about this to someone the other day, there’s this notion that like the intelligence communities like buy all these exploits and stockpile them. Like, no, they don’t, right? Because like they’re going to be obsolete very soon at some point. The analogy I’ve always used, know, brokering bugs is, know, they’re fruit on a fruit stand and there’s a shelf life on it. so, you know, once an exploit is known, once a vulnerability is known, like
it’s only a short matter of time before somebody else again independently discovers something very adjacent or the exact same thing. if you again if you’re not working in a you know aboveboard transparent marketplace where the buyers and sellers are sharing in the research and kind of crowdsourcing all those those those benefits and costs you end up in a situation again where somebody that’s not participating is just going to go to a criminal and just sell
it for easy money. again, it’s a global marketplace and what might sound like a small amount of money to us all comfortably sitting in the field, it could be life-changing money for someone in certain parts of the world.
Vlad Babkin (53:18.79) And better yet, like I’m one happy researcher because I have a whole company where, okay, if I found something, I get support from them to do disclosure. But what about, let’s say, me 15 years ago, who would be sitting in the basement, maybe doing some research. And I would be like, what, the time would be, what, 16, I think? And yeah, that would be a pretty sad place to be if I discovered something really big and people started going after me. So having some company where I can just go and disclose this.
versus going to some random online community with like-minded kids and do some nefarious stuff with your exploit or just sell this to whomever comes up with money and is ready to pay, it’s probably better.
Paul Asadoorian (54:00.739) It also, you know, we’re focused on zero days, but once a patch is released too, it’s still a bad day for defenders, right? Like, and a lot of what we’re seeing in the wild is, I mean, we just, I just read the report from CISA on salt typhoon and static, static Tundra from Cisco and they’re both like leveraging that 2018 vulnerability. I think it was in SMI and Cisco’s smart install products.
Vlad Babkin (54:10.098) Yep.
Paul Asadoorian (54:30.058) And so now we’re set, you the patch was issued seven years ago yet here we have two independent threat actor groups that have been confirmed. I believe both used that exploit from a vulnerability from 2018. So a lot of times attackers don’t need a zero day. They just need us to not apply the patches, which there’s a lot of reasons why a lot of us don’t apply the patches and you’re still off to the races. And I think sometimes we run into the assumption that, it’s not being exploited in the wild.
But how do we know that if we don’t have visibility into every single system?
Evan Dornbush (55:03.368) Yeah, that’s a true point. And again, I think you’re right. mean, zero days get a lot of attention because they’re scary, right? There is no patch, but there are other companies that are out there that are solving the patch management and patch prioritization process. And so we didn’t want to dabble in that. Now, we will sell public.
Paul Asadoorian (55:23.714) Yeah.
Evan Dornbush (55:26.184) bugs as well. Like if there’s a researcher that has a thing for a particular CVE, yeah, you can, know, as long as it’s disclosed and so there’s an ability again, like we work with some red teams that are, they don’t want zero days, but they still want capability and not every, not everything is just like findable, you know, in, like the Metasploit database or on GitHub. And so, there, know, there is, there’s reason to research again, and this, this works really good for students, right? Like you can, you can, to Paul’s point earlier, like,
work from the patch and work backwards independently create an implementation for something and maybe make a couple of dollars while learning and studying for your degree. It’s a great avenue.
Paul Asadoorian (56:03.572) And I think AI, I think that’s a great use case for AI, by the way, in the research teams I’ve seen. And like, I don’t think attackers are going to come out and say that that’s what they’re doing. But we can kind of guess, right? We can have a theory that they’re also doing that, right? If the people who are the good people in security, right, that aren’t criminals are going, hey, I used AI to help me with this patch diff. You’ve got to imagine that attackers are doing the same thing. And it’s a great task for AI. Like,
Evan Dornbush (56:07.731) I do too, yeah.
Paul Asadoorian (56:32.194) 2,000 lines of code changed, like tell me which ones I should start with, right? I’m not saying it wipes out the knowledge that you need to be a security researcher, because it doesn’t, but it certainly helps cut down the time, right? In a patch diff scenario, for example.
Evan Dornbush (56:34.58) Yeah.
Evan Dornbush (56:46.09) But in theory it should also cut down the time it takes for vendors to issue new patches and We have yet to see that but
Paul Asadoorian (56:52.65) Well, and there’s public, yeah, well, there’s public proof of concepts that are using AI and LLMs to identify vulnerabilities and create patches for them too. And I think I theorized in a podcast last week that we’re just in an arms race now of using AI. Like we’re finding vulnerabilities with it. We’re creating patches for it, but if you can create a patch, you can create an exploit for it. So like now the race is on.
Evan Dornbush (57:16.542) Yeah, and again, we as Desired Effects sit in the middle of that and we just, work the marketplace angle of it because at some point people are doing it for reasons and those reasons should be rewarded. So, completely agree with you.
Vlad Babkin (57:28.74) and better yet, if you think about it, some of the patch comes out, and okay, if it is a patch, say, okay, let’s say we found yet another vulnerability in Microsoft Windows. Well, you know where you have Windows, right? Sure, but what if something comes out in OpenSSL and now you have a mouse game of trying to find this across your entire infrastructure? So that gets very fun. And suddenly you need estimates of how bad this specific vulnerability is.
Do I even care about patching it in every device or do I care about on the some specific ones?
Paul Asadoorian (58:02.573) Well, we ran into it with BMCs. We can tell you how many BMCs are exposed to the internet, but with the number we can’t really get a good handle on is how many BMCs are in data centers that aren’t exposed to the internet. We theorize a lot, right? But we don’t really know the exact number. we don’t, the scope is kind of lost, right?
Vlad Babkin (58:22.118) Yup, even better yet, like, something that, again, our company trying to solve as a mission is to get people to disclose what their software and hardware is composed of. Like, if you had a list of all of the libraries and firmwares, that would make your life easier. But, yeah.
Paul Asadoorian (58:31.906) Mm-hmm.
Yeah.
Paul Asadoorian (58:39.444) Evan, sorry, closing thoughts. I’ll turn to you.
Vlad Babkin (58:39.846) Kind of all in the same boat.
Evan Dornbush (58:46.922) I like I should have prepared some kind of a speech or something. No, I think I’m heartened. I think last week or two weeks ago on the weekly PSW show, I think there was a little bit of like, hey, exploits are always unethical and we should never be selling them. And so I’m like, well, hold on a second. There’s another perspective. I think takeaways, if you haven’t listened to that episode of PSW, please go listen to it.
Paul Asadoorian (58:49.724) Mm-hmm
Vlad Babkin (58:50.822) Yeah
Paul Asadoorian (59:09.856) Yeah
Evan Dornbush (59:17.342) think again, it is equally important that the research community has advocacy on their side. And so I thank you for the opportunity to kind of take the mic once more.
Paul Asadoorian (59:28.042) Awesome. Evan, thank you so much for appearing on Below the Surface. Thanks, Vlad and Chase. Thanks everyone for listening and watching this edition of Below the Surface. That’ll conclude this episode. We’ll see you next time.
Chase Snyder (59:40.084) Thanks, Evan. Great meeting you.
Evan Dornbush (59:41.225) Yeah, cheers, likewise.
