Last week, Forbes’ Andy Greenberg investigated a dangerous but largely underreported problem in Internet security: the sale of zero-day exploits to customers not intending to fix the flaws. Zero-day exploits are hacking techniques that take advantage of software vulnerabilities that haven’t been disclosed to the developer or the public. Some companies have built successful businesses by discovering security flaws in software such as operating systems and popular browsers like Google Chrome and Microsoft Internet Explorer, and then selling zero-day exploits to high-paying customers—which are often governments.

France-based VUPEN is one of the highest-profile firms trafficking in zero-day exploits. Earlier this month at the CanSecWest information security conference, VUPEN declined to participate in the Google-sponsored Pwnium hacking competition, where security researchers were awarded up to $60,000 if they could defeat the Chrome browser’s security and then explain to Google how they did it. Instead, VUPEN—sitting feet away from Google engineers running the competition—successfully compromised Chrome, but then refused to disclose their method to Google to help fix the flaw and make the browser safer for users.

Read more