It’s become a familiar walk for Chaouki Bekrar. Year after year at the Pwn2Own contest, the controversial Vupen founder is scurried from a small room in the basement of the Sheraton hotel to a suite several floors above. It’s a short journey from where a string of zero-day exploits are executed to where formal disclosure is made to the vendor in question. It’s also where payment is arranged, and on this day, exclusivity is promised to HP’s Zero Day Initiative.
Bekrar, made this trek four times on Wednesday, earning close to $400,000 in the process and cementing his place as perhaps one of the most divisive people in security. Vupen, a French company, is well known as an exploit vendor and its magnetic figurehead stands by his well-worm mantra that the zero-days they develop are exclusively for customers, a list that includes a number of NATO governments. Vupen, Bekrar said, will not sell zero-days to repressive regimes.
“I believe our industry is now normal business,” Bekrar said. “Now a lot of companies, most in the U.S., are doing the same research as Vupen and selling to government customers. It’s become common and nothing surprising.