🟡 Medium  |  Source: Krebs on Security


A cybersecurity startup offering large sums to acquire zero-day vulnerabilities is reportedly operated by convicted felons with histories of fraud, fake intelligence firms, and AI-based influence operations run under assumed identities. The concern is that vulnerabilities purchased by such a firm could be exploited offensively, sold to hostile actors, or used in ways that circumvent legitimate disclosure processes. This raises serious questions about the integrity of the vulnerability acquisition market and the risks of selling security research to unvetted brokers.

Security Architect’s Take: If your organisation’s security researchers or red team members are considering selling zero-day research, enforce a clear policy on approved disclosure channels and vetted brokers only — conduct due diligence on any vulnerability acquisition firm before engaging, including checking company registration, beneficial ownership, and the backgrounds of named principals.

Original advisory: Felons, Fraudsters Flog Offensive Cybersecurity Startup