Threat Management, Vulnerability Management

Russian security services deny interest in buying Western software vulnerabilities

Russia's First Exchange, which specialises in the sale of vulnerabilities in popular software such as Adobe Flash, Windows, Tor, and iOS, is growing in popularity among special services and experts in the field of cyber-security.

The exchange  was launched several weeks ago by a group of Russian hackers, with the aim of purchasing software vulnerabilities for further re-sale to special services, state bodies and information security companies .

Prices are currently in the range of US$ 35,000 for the purchase of  vulnerabilities in some popular Web browsers to up to US$ 80,000 for weaknesses in operating systems as Windows, OS X, Linux, and some others.  

As Andrew Shorohov, the founder of the company told, in addition to buying and selling of exploits, the company conducts its own research and development of vulnerabilities, as well as working on the development of its own software with a set of test exploits, that allow pen-testers to evaluate the level of security of any IT-system.

The company also resells exploits to IT companies to conduct further penetration tests, as well as to state agencies.

Russian IT security analysts say that the demand for software vulnerabilities in the country is steadily growing and is currently mainly observed from special services and commercial structures.

Vladimir Varnavsky, head of Varnavsky Enterprise, one of Russia's leading  anti-virus providers, told SC that in recent years, amid the ever growing cyber-threats and the increase in the number of cyber-attacks, Russian special services have become one of the biggest buyers of such exploits.

Official representatives of the Russian Federal Security Service (FSB) have denied that his is the case saying that they have their own cyber-security resources and have no need to purchase any programs from companies and people with dubious reputations, which could cause legal problems.

Varnavsky, however, adds that the carrying out these activities is not contrary to the law, as, he says, many vendors buy vulnerability information, and not only for their own software. Such information is also of interest to anti-virus companies, as it allows them to update their anti-virus databases.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.