The United States Navy is seemingly looking to buy exploits and vulnerabilities, be they zero-day or otherwise, found in popular consumer software made by Microsoft, Adobe, Google, Apple and others.
It’s no secret that security researchers and cyber criminals often buy and sell exploits online. Researchers usually sell their findings back to companies in bug-bounty programs, while criminals usually sell their knowledge to other criminals who can then exploit the unpatched vulnerability.
But there’s also a third kind of exploit buyer out there, and that’s governments, who use these exploits for their own cyber-attacks. That’s seemingly the case here, where the US Navy actually posted an ad saying they were buying exploits found in popular software.
To what purpose? The Navy’s ad made it very clear, in case anyone had any doubts:
The vendor shall provide the government with a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old). […] The government will select from the supplied list and direct development of exploit binaries.
While this practice isn’t new, it’s worrying to see how cavalier the government is when publicly stating they were choosing to develop digital weapons instead of improving the security of millions by disclosing and helping fix the vulnerabilities they acquire. Then again, it's not like the government ever needs better security. Oh wait!
And yes, while there is a classified program, through which the government supposedly discloses such vulnerabilities to companies, it’s hard to believe that after spending millions of dollars to develop said exploits, the authorities would then have any incentive to just give them up and tell companies to patch them.
The Navy’s ad was quickly taken down, after the Electronic Frontier Foundation and others in the public noticed it.