It's a somewhat controversial business model that has been criticized by digital rights advocates and various people from the IT security industry who argue that it makes the Internet less safe because the vulnerabilities remain unpatched and known to third parties who may be interested in exploiting them for offensive purposes.
However, the practice is not new. It's been known for years in the security research community that some companies and independent researchers are selling information about unpatched vulnerabilities to governments and other private buyers, but such transactions used to be done discreetly.
In the absence of additional details and vendor confirmation, it's hard to independently confirm the existence of these vulnerabilities. However, Auriemma's reputation as a prolific vulnerability researcher and his past work in the field of SCADA security lends credibility to his company's claims.
During the past few years, before creating ReVuln together with former RIM security researcher Donato Ferrante, Auriemma reported dozens of vulnerabilities in SCADA software.
"Luigi [Auriemma] has found many vulnerabilities in SCADA and ICS [industrial control systems] in the past, and I'm sure he will continue to in the future," said Dale Peterson, CEO of Digital Bond, a Sunrise, Florida-based company that specializes in ICS security research and assessment, Tuesday via email. "He is talented."
That said, finding vulnerabilities in SCADA software is not that hard to do, Peterson said. "The issue with these applications is they were developed without security integrated into the development process."
"It is similar to what Microsoft was doing in the 90s," he said. "Without a security development lifecycle you will see the common programming mistakes that lead to vulnerabilities and exploits over and over."
As far as ReVuln's business model is concerned, "Digital Bond's position is that the person who finds the vulnerability can decide what to do with it," Peterson said. "Report to the vendor, a CERT, sell it, publish it, or keep it for future use. We have done all of the above and make our decision on a case-by-case basis."
"It really doesn't matter if this is right or wrong for ICS or any market," Peterson said. "It is the way it is, so there's no value in discussing responsible disclosure."
David Harley, a senior research fellow at security vendor ESET, said Tuesday via email that, while he belongs to a generation of researchers that prefers responsible to unrestricted disclosure, he can understand that vulnerability researchers expect something in return for their efforts.
However, if security researchers who find vulnerabilities in industrial control systems don't self-regulate or get support for their work through a government program, they run the risk of meeting legal and other forms of pressure because issues that can affect national security attract particular attention, Harley said.
"Vupen lays claim to a certain amount of self-regulation (in terms of being choosy about its customers): I don't know about Revuln, but at least what they're doing isn't full, promiscuous disclosure," Harley said.
"I can't say I feel comfortable with this, but it may be that legitimized and monetized research will work out better for the online world than multitudes of individuals and unofficial groups working semi-covertly," the ESET researcher said. "If so, let's hope too much damage isn't done while that market stabilizes."
As far ReVuln's customer selection process goes, Auriemma said the company "accepts trusted customers from reputable countries only."