Netragard Ends Exploit Acquisition Program After Hacking Team Breach

Trailrunner7 writes: After the fallout from the HackingTeam breach, Netragard, a company that buys and sells exploits, has decided to shut down its exploit acquisition program. Leaked documents show that Natragard was selling exploits to the Italian maker of intrusion and surveillance software. In addition, documents further showed that the company sold its products to a variety of oppressive regimes, including Egypt and Ethiopia. A company statement reads in part: "We’ve decided to terminate our Exploit Acquisition Program (again). Our motivation for termination revolves around ethics, politics, and our primary business focus. The HackingTeam breach proved that we could not sufficiently vet the ethics and intentions of new buyers. HackingTeam unbeknownst to us until after their breach was clearly selling their technology to questionable parties, including but not limited to parties known for human rights violations. While it is not a vendors responsibility to control what a buyer does with the acquired product, HackingTeam’s exposed customer list is unacceptable to us. The ethics of that are appalling and we want nothing to do with it."

How convincing!

So, these fine and respectable folks are shocked, shocked that dodgy reselling of exploits might be going on. Really. How utterly plausible.

Unless you are selling to an end user who does their own development, what other possible outcome could you expect? They only want to purchase the exploit from you because they think that they can package it up and sell it on to enough of their own customers to come out in the black. That is a situation where all the incentives push toward transactions being largely secret and provide an incentive to try to be as 'flexible' as possible when screening potential purchasers. The only reasonable expectation is that the exploit you are quietly selling is going to end up in some potentially troubling places.