Vupen

Vupen Security is a French information security company founded in 2004 and based in Montpellier. Its specialty is in discovering zero-day vulnerabilities in software from major vendors in order to sell them to law enforcement and intelligence agencies which use them to achieve both defensive and offensive cyber-operations.^[1]

In 2011, 2012, 2013 and 2014 Vupen won first prize in the hacking contest Pwn2Own, most notably in 2012 by exploiting a bug in Google Chrome. Their decision not to reveal the details of the vulnerability to Google, but rather to sell them, was controversial.^[2] Unlike 2012, during Pwn2Own 2014, Vupen has accepted to reveal to the affected vendors, including Google, all its exploits and technical details regarding the discovered vulnerabilities, which led to the release of various security updates from Adobe, Microsoft, Apple, Mozilla, and Google to address the reported flaws.^[3]

According to an article in the German weekly "Die Zeit", Vupen earned a profit of 415.000 Euros in 2011. Some years ago Vupen was still providing information about vulnerabilities in software for free, but then decided to earn money with its services. "The software companies had their chance", said Vupen-founder Chaouki Bekrar according to the article, "now it's too late".^[4] The German magazine "Der Spiegel" reported that German authorities were clients of Vupen until September 2014. ^[5]

References