A few years ago, following the failure of WabiSabiLabi’s 0day auction site, I gave some thought to how to create a public marketplace for exploits that actually works. Obviously given the example of WabiSabiLabi and a little common sense that any vulnerability researcher worth their salt would know, you can’t have a public market for 0day vulnerabilities. As WabiSabiLabi quickly found out, by disclosing enough information about the vulnerability so that a potential customer can make a determination about whether or not to buy it, you’re likely giving up enough information about the vulnerability for them to find it themselves, given varying levels of time and effort. Thus, you can really only market 0day to trusted customers and when your marketplace is open to the public, your customers are most definitely not trusted and consists of various demographics who have lots of disposable time on their hands to go hunt down your vulnerabilities. So, what if we remove 0day from the equation entirely I thought? Could an open market for exploits of public vulnerabilities work? Would anyone actually buy such exploits? ExploitHub was born, and it turns out the answer is yes.
Well, it wasn’t born overnight. At first, my idea was to create an open marketplace for the buying and selling of Metasploit exploit modules that was integrated directly into Metasploit, like an iTunes-style App Store for the Metasploit Framework. The overall application was to be both on the web and integrated within Metasploit, as the exploit Authors also needed an interface to submit and manage their exploits with since the original Customers’ interface would essentially be Metasploit itself. This functionality is actually still part of the plan, however we’ve focused on flushing out the community features of the site before integration with Metasploit and have since expanded beyond only supporting Metasploit exploit modules due to popular request. I took my original idea to HD Moore at the time for some feedback given that Metasploit is his application, and as it turns out NSS Labs had approached him with nearly exactly the same idea within a few days of me speaking to him about it. Since NSS Labs and I essentially had the exact same idea at nearly the exact same time, HD suggested we discuss it with each other and potentially partner on the project. This resulted in nearly a year of design and development of what was to become the ExploitHub.
Flash-forward to BlackHat USA 2011 and DEFCON 19 and the official launch of ExploitHub. We held a small launch event and the project was very well received by the community and industry at large. At the time we had a handful of initial exploit Authors offering their exploits for sale in the store, and today that small group has expanded quite a bit. At launch, we immediately had revenue in the form of site-licenses sold pre-launch and were able to immediately begin paying Authors residual monthly payments from that revenue. At the time, individual purchases of exploits were not even enabled yet, however we rolled out that capability about a month later. Following that, we launched a development request and bounty system which allows Customers to provide Authors with guidance regarding what exploits they would like to see developed and how much they are willing to pay just to have those exploits created and submitted to the store.
Overall we’ve come a long way in a couple of years and made great progress since our initial public launch. To date, we now have over 100 exploits for sale in the market which are exclusively available via ExploitHub. We also recently launched the ExploitHub blog, which is where I will likely be posting further ExploitHub-related information rather than here, so if you’re interested in this project, I would recommend you follow that blog as well.