The zero-day industry tries ‘transparency’ in Dubai
In an industry that tends to be quiet by design, a new international firm is deliberately making noise.
Headquartered in the United Arab Emirates, Crowdfense first attracted attention in April when it announced a $10 million fund to pay enterprising hackers for zero-day exploits that the company then turns around to sell to government customers. The payouts include up to $3 million for hackers who break into iOS and Android devices.
The big money comes paired with an earnest promise of “transparency” that is unique in an industry where secrecy is standard operating procedure.
Crowdfense director Andrea Zapparoli Manzoni told CyberScoop that he wants to “do things differently.”
The zero-day industry uncovers — through research or by purchase — exploits in computer systems and then sells them to the highest bidder. Many governments and even some private companies are involved in the business. Crowdfense shares a lot in common with its closest competitor Zerodium, a well-known “exploit acquisition platform” that has offered some of the largest ever public zero-day rewards until Crowdfense showed up.
Zerodium didn’t respond to a request for comment.
Oppressive regimes can turn the potent tools against their own citizens while these developers rake in the cash. The well-known companies, like Israel’s NSO Group, make over $200 million in sales per year, according to one employee of that firm. Other big players include Italy’s HackingTeam and Germany’s Gamma Group.
“This sector has no proper regulation,” Manzoni said. “All you can do is try to self-regulate and do no evil.”
Manzoni, an Italian citizen, wants to build a successful and “decent” zero-day business by following a set of self-imposed rules that focuses in on one point: “We deal only with countries with track records of human rights respect.”
Manzoni says Crowdfense, which is headquartered in the tech-rich United Arab Emirates, does not sell to nondemocratic regimes. The company doesn’t work “with Asia or dictatorships” and it “tries to avoid selling to countries where revolutions and civil wars are going on.”
“When tools get sold to nondemocratic countries, it’s inevitable that dictatorships will use it to go after their internal population,” Manzoni said.
Crowdfense also doesn’t build “mass surveillance tools,” instead focusing on exploits that can be used in highly focused operations against less than a dozen targets, he said.
The policy of avoiding selling zero-day exploits to certain countries certainly sets Crowdfense apart. But it’s an interesting choice for a company headquartered in a nondemocratic Asian country notorious for both its love of new and expensive technology alongside its longstanding and continuing human rights abuses.
In many ways, the UAE is a great place to start a business. It’s home to the second-largest economy in the Persian Gulf region, fueled mostly by oil exports. The country offers extraordinary recruiting packages to foreign technology talent including tax exemptions and paid-for housing, food, health care, education and transportation. For tech startups hungry for both cash and talent, that’s a hard package to ignore.
The country is also known for its use of highly focused zero-day exploits to spy on and detain internationally-celebrated human rights activist Ahmed Mansoor, who was recently sentenced to 10 years in prison for insulting the country.
Manzoni stressed that there is no way to know how the company’s customers use its tools, due to the nature of their work. But “it’s easier for us to vet our customers,” he said, because the company is supporting actions like “sting operations by law enforcement agencies” rather than doing mass-surveillance work for the highest bidder.
For a company throwing $10 million prizes into the public arena, questions quickly arose about the firm’s funding. The blog Intelligence Online reported last month that the UAE and Saudi Arabian governments are financially backing Crowdfense. Alongside UAE, Saudi Arabia has a long history of antidemocratic human rights abuses, including the recent jailing of activists advocating for a woman’s right to drive.
When asked about the source of the company’s funding, Manzoni declined to give a specific answer one way or the other despite the transparency plea. He did, however, say that part of the reason Crowdfense is headquartered in UAE is to attract better investment.
“We were funded by a pool of international investors,” he said. “It’s a new way of doing this kind of thing so it’s a high risk that it won’t work. It’s a big question mark.”