BSidesSF 2018 - From Bounties to Bureaucracy (Brian Gorenc)

[Music]

this is by far one of the biggest screens I've ever presented in front of which is pretty awesome all right let's get started welcome everybody to the first day I'm excited to be here we're going to be talking about today bounties and the effects that different actions take have on the actual exploit economics and what's going on in the underground we're going to cover kind of three different areas first I'm going to introduce the for those of you who aren't used to working in this space introduce the economy what it looks like we're going to examine the gray hat market and how they go about selling vulnerabilities and exploits and we're going to talk about how actions that are taken by

vendors in the industry how that affects what people are researching and the types of bugs that are being discovered and sold in the white market and the gray market so just to kind of give you an idea but a quick introduction my name is Brian Goren's I'm the director of vulnerability research inside of Trend Micro and my primary responsibilities is running a program called zero day initiative now how many of you heard of this yota initiative all right that's why we're doing a pretty good job actually so what we're talking about that program here in a second because a lot of the data that we're going to be talking about is from that program I

also organize and run and adjudicate the ever-popular own hacking competition who's heard of that probably more people yes for some reason the program does it's not as popular as the actual contest and I think that may be because we offer more money at the contest so I've been running that contest for you know about seven years now and so I've seen a lot of the effects of the different regulations that are coming on board and we'll talk about those I spent a lot of time participating in the market as well I was let's do this there we go I was working on a team that was awarded one of the largest bounties ever from Microsoft at one hundred and twenty-five

thousand dollars for attacks against Internet Explorer's isolated heap and memory protection mitigation done a lot of bug hunting in my past uh prior to working at CDI and running CDI I actually submitted vulnerabilities to zdi so I've been in the marketplace for a long time buying bugs and working here so what you see on the screen here is is the zero day initiative program and all those blurry little lines over there they're supposed to be CDEs so over the 12 year history of this program we've disclosed and purchased over 4500 zero-day vulnerabilities and we are what you would consider the world's largest vendor agnostic bug bounty program now what's different about that compared to other programs we are not we are not a

hacker one we're not bugcrowd we are not paid by the vendors to to buy the vulnerabilities for them we don't run a bug bounty service we are a bug bounty program for the purposes of intelligence gathering we use this intelligence to feed the Trend Micro product line so that we can actually find the vulnerabilities being actively used in the wild and being able to filter and protect against the different exploit techniques that we are purchasing so our business model is very different we buy the best that's off the market we don't have to buy everything we just buy the best stuff right and so and we don't typically focus on web vulnerabilities we're focused mostly on client side and

server side vulnerabilities things that are going to be actively used in apt campaigns and that gives us insight into what's actually going on in the underground and what is actually going to be used in those types of attacks now let's talk about the exploit economy for a little bit and introduce it for those who are not used to it or have just just started to get into it as a researcher and I was a researcher before coming to the zdi when you found a book you read you have a couple options that you can work in the first one is the white hat space so you can work and submit the bug to a bounty program and they will work

with and those bounty programs will work with the vendor to fix the vulnerability this is where CDI lives this is where actor one lives but crowding all these different companies this is where they operate we use it for intelligence purposes for creating signatures they use it for selling services now the other option that's available is for people to go work and sell and the researcher can take the vulnerability right and exploit and sell it to the gray market they can but to the government through defense contractors that can work through a vulnerability broker the thing is with this market you don't know where that exploit is going to be used but it's going to be a higher

price exploit because these companies who are in the government's that are purchasing that these vulnerabilities really don't care about costs you know if a missile being launched in a warfare situation cost twenty million dollars a hundred thousand dollars for a single exploit is really not that much these people so you can actually make quite a bit of money in this space now you can also work in the black market or sell your exploit to a bot to a exploited creator this exploit kit is then sold to people who generate botnets and then they rent out the botnets for use in their campaigns either spamming or beat us extortion or credential Harvard a credential harvesting now a smart

criminal is going to buy a lot of these credentials and sell them to dumb criminals who are going to use them to buy beer and chips and that's kind of the trickle-down economics for for the exploit economy now traditionally dumb criminals are going to be caught because they're going to they're going to get arrested smart criminals our spammers are going to be caught because everybody hates spammers eventually they're going to be captured and smart criminals typically get caught but everybody else does not get caught alright the people you know selling the exploit selling the kits using the kit stand before they rent them out they're traditionally not caught by law enforcement now this economy is really active now

most of the people in this room who have been working in it for a little bit will know this but what we can do is we can look at the incoming submission rates into the zero day initiative to understand how active this economy is so what you see here on the screen is the number of submissions coming into our program over the last five years all right you can see the consistent growth of vulnerability submissions of vulnerability researchers working in the space submitting bucks to bounty programs going from less than a hundred bugs in 2013 to over a thousand bug submissions in a single quarter to actually coming through are coming through at least through our program so

that's an active marketplace for sure where are we buying all these develop owner abilities we're buying them from all over the world what you see on the screen here is all the blue countries or countries that we've purchased bugs in before now some of these should be since I've made this a couple more countries have come online specifically Mexico we receive a lot of vulnerabilities for a researcher in Mexico and we're actively buying new stuff out of Africa so things we've actually recently bought a baseband exploit to compromise a cell phone without touching it out of Africa and we've also bought several office zero-days out of Africa as well so that country is kind of coming online now as

they mature about in their research capabilities now let's look at this mapping and guess where do you think we're buying vulnerabilities from for Microsoft products Apple products Oracle products Google products where do you think we're buying all of those vulnerabilities from just yell it out China China China US and Canada this is where we're buying all of these vulnerabilities words this makes sense if you think about what they're actively using in campaigns the researchers in those areas are looking for bugs in those area in those products and that's what we're getting most of our research from historically with the United States and Canada and China has come online a lot recently over the last several years

now where are we buying all of our critical infrastructure software vulnerabilities things like SCADA the machines that are actually running the skate infrastructure like the human machine interface where we buying all of those bugs from Russia we buy all almost almost we would like to probably 80% of the bugs coming through our program in SCADA applications are coming from Russia a significant amount which also makes sense if you if you think about how that's that government is supposedly using those in offensive campaigns these are in products like ABB Advantech Schneider election Schneider Electric Siemens all of these different companies our use across the world run critical infrastructure most of the researchers are looking at it from from Russia now I

always get to ask the question like why does the restructures not go to the gray market and what you know the gray markets got to be more lucrative but we've never you know in our space we could never really understand other than just do conversations I could never point to data that shows how lucrative the gray market is our chief competitor were in the white market we're trying to disrupt the gray market as much as possible we couldn't really do that until the hacking team breached and when the hacking team breach came out most of the industry I mean all of the InfoSec community was looking for the zero-days they were digging through the databases

digging through the emails looking for the zero days so that they could get them fixed and that makes sense but we took a different approach in our group we looked at the economics what was this company doing who were they buying from in were there any correlations or any collisions that we could have and we could demonstrate that we were making an impact in this space I was very lucrative business for them they were selling a rat they use zero day vulnerabilities to break into networks and they were they were selling this to governments on the top P o that you see on the screen is for a support contract from the Czech Republic for ninety

thousand euros per year for support the one below that is a is a P o for a support contract for a hundred and eighty thousand euros per year for the service now these aren't the only two countries buying this countries like Guatemala Lebanon Mongolia Russia Egypt Vietnam Malaysia Brazil Bangladesh South Korea Saudi Arabia Cyprus UAE and a small company out of Maryland which there's other agencies in Maryland as well so just different groups buying this type of service so it is a very active marketplace on the gray side now if we look at their business and how it was operating we can see how well they were doing by looking at their profit and loss spreadsheets so this is from a

presentation of theirs you can see that over 2015 to 2016 they were expected to grow 30% which is significant for a company in this industry they had 55 full-time employees paying about 80,000 per and they relocate in Italy so it was that's about the going rate and the interesting thing for us that we were we were really interested in was this other personnel cost this is the cost for subcontractors typically in a company and traditionally where you would go to buy the zero day weapon that you're going to end up selling in your service so how exactly do you buy a zero day on the gray market and how is it different than what we do buying zero

days in the white market well the first way to do it is through consultancy and this is how we do it in the white hat market as well a researcher will submit us their intellectual property will verify that it exists and we will purchase that off of them for a price and we will treat them as an independent contractor in our system this is the same way that the gray market does it in this case what you see is a is a invoice for a researcher to do consultancy services for this company for 40 thousand euro now what's interesting is is the individual that they're talking to the telly tour puffs now vitaly talk above prior to the hacking team breached

wasn't very well known publicly for doing research but he certainly was after the hacking team breach everybody talked about vitaly talked off and how great it was and in fact he is a great exporter but we had known about vitaly tor pot for many years he had been submitting to the CDI program all sorts of vulnerabilities that we were end up fixing with the vendor and he had about a hundred percent success rate every single bug he submitted to our program we purchased and got a patch for he was also working over here at hacking team and what's interesting thing about vitaly and why this type of approach is important is because this individual was

able to exploit software in ways that weren't publicly defined so as an intelligence group trying to protect customers the fact that we know how he is exploit exalt or makes it better for us from a protection perspective because what he's doing is not what's publicly defined right now what's another way of doing this another option is to work with a vulnerability broker right and what they do is there's there individuals out there who will work with researchers and we'll sell the researchers product to a client and they will charge a fee on top of that to sell the vulnerability idea keeping the researcher anonymous from the client right now one of the things that happened in this

breach was the release of a broker's exploit inventory so we can get an idea of how they're selling their bugs are their exploits what you see on the screen here is from a group called vbi vulnerability brokerage international and they were selling a Adobe Flash remote code execution exploit and what's interesting is they in this case they actually act differently than the gray market more than the white market in this case they are selling the asset in different ways one is a exclusive purchase one is a non-exclusive purchase and the other is a monthly license now depending on what you're trying to do they have different values but the one that's most interesting to us is the

exclusive purchase where you're going to buy the vulnerability once and it's going to be used in operation that will where you fire-and-forget you basically shoot the bull at one time you never use it again so that it's never caught and that's why you buy an exclusive license very interesting and how that works now that's going to barner the most price so what does that mean how much is that well let's look at this the way the cost of an exclusive license exploit is about ninety five thousand dollars back when this was released a little bit higher now but they pay differently than with you two in the white market we pay a hundred percent upfront because our goal

is to make sure the bug is killed as fast as possible so we just pay a hundred percent of the fee up front in the gray market and vulnerability brokers they're paying to ensure that the vulnerability maintains its zero day status so what they do is they pay it on a schedule fifty percent of the value after 30 days 25 percent after another 30 days and another 25 percent after another 30 days maintain making sure that the researcher is not going to sell it through the broker and then immediately turn around and sell it to the CDI so because we're going to kill the bug and that will no longer be useful now I've talked to some brokers

in Europe the last time I was there and they said that that since this leaked it's pretty much the same except that time periods are a little bit longer now now our goal is in the white hat industry is to try to effect in our in our case gather intelligence do we understand the attack surface and kill as many bugs as possible but we also want to have an impact on the gray market so how do we check whether we have an impact on the gray market or not we do this by looking at the exploit lists that they're selling we want to buy bugs in products that they have exploits before so that we can affect the attack surface in a

way that makes those exploits useless so if we look at the inventory for vbi we can look at the bugs that we're buying and we could see we map pretty closely to this marketplace so we're able to purchase vulnerabilities and all of the products with the red arrows next to them now why is this important we understand that we are able to affect we're buying the right products we know how they're selling we know how all this works but the reality is we're living in a shadow brokers world right last year with the release of the equation group exploits from shadow brokers we all saw what happened all of these governments and all of these groups had very

advanced cyber weapons capabilities and we saw those actively used in the wild in the previous in the previous year so how do we know we are making an impact there like what we really want to see is a collision what we call a collision in our industry where we're buying a vulnerability that's actively being used in a government grade exploit and we happen forcing the government to actually change the way that they're there they're operating and we do have evidence of this when the equation groups information was released which is supposed to the NSA's tailored access group they released an exploit toolkit we all know this in this industry now and one of those was eternal blue which

ended up being turned into want to cry which ended up causing a lot of ransomware infections another exploit in that group was called a walk frenzy Ewok frenzy was an exploit for IBM's Lotus Domino which is a mail server that is a competitor to exchange and is often used by people who don't want to pay for exchange because of whatever reason they think they think Domino is more secure or it's used a lot in the defense industry which makes it an interesting target for the people supposedly using these exploits now this vulnerability was they see ESS 10 which is the most critical vulnerability that you can have it's a remote system remote root without authentication exploit and we actually

purchased that vulnerability to back in 2006 we purchased that vulnerability we supplied it to IBM and they fixed it as a denial of service condition we released the Advisory as a remote code execution vulnerability and the NSA agreed that it was also a remote code execution vulnerability because they have an exploit for it in their tool chests so just a very interesting collision back in 2006 and that's how old that group that that exploit hit was very very old and with really solid exploits I actually analyzed that exploit by myself and it was very very clean did exactly what it needed to do now is there another case where we have a collision that we have collisions we

know from the NSA side of the house but we also have a very interesting collision that most people don't know about will talk about right now if we remember the Stuxnet exploit was one of the first cyber weapons to come out and and it was attributed to the United States and Israel breaking in to the Iranian power power plants and breaking the projector the idea but way that the exploit worked is you had to jump an air gap right so we had to jump an air gap I wasn't connected directly to the network and so to do that they used a vulnerability in the length processing for Windows where you basically plug into USB a folder pops up and code

execution occurs right so when the cut execution occurs they're able to install their malware there's no user interaction it makes it real simple and then they launch their payload breaks the PLC's destroy the centrifuges hurray for everybody so that bug was passed in 2010 and the entire industry was looking at that codebase because it was the most interesting cyber weapon that had come out at the time I mean everybody every company was looking at the code every company was looking at the patch every company was analyzing the malware and trying to understand exactly how it worked how is it possible and then you think like that bug is done we patched it in 2010 it no longer exists anymore

and then all of a sudden in 2015 we received a submission from a researcher named Michael here clots supposedly was a bypass to that patch re-enabling that vector for use and we saw this we're like this is not possible right and everybody in the industry was looking at this code I was impossible but this computer science student who found the bug supposedly after reading countdown to zero day which is a book about Stuxnet he would go in there and send to us a full white paper and full exploit for a bypass re-enabling this this vector and we analyzed the case we said oh this actually works this is amazing here's what it looks like you just bewdley at

the folder and bam code execution that's all you do it's also exploitable from a network share if you have an SMB share all you have to do is browse the folder and it's game over there was one way to bypass that patch and only one way that this individual is found and we were like this is awesome we bought the bug we submit it to Microsoft we said Microsoft you should like we weren't at Trend Micro at the time you should turn on your style and signatures because this is really strange right we just we don't normally get full white papers from computer science students so usually it's a perfect concept or like a you know some

sort of you know here's the code that's bad so we submit that goes to Microsoft they release the patch we never hear from it again until vault 7 happened we started looking at the vault 7 paperwork which is supposedly a leak from the CIA's exploit kits or exploit toolchains and we noticed that they had a closed network infiltration tool available for use LDC cheese you know easy cheese after reading the documentation was leveraging CBE 2015 zero zero nine six as the initial vector for exploitation of closed area closed or air gap networks really interesting to see in two cases now we have white hat programs affecting the way that cyber operations and government grade exploits are

working like I said again we had hits in the wild on this and so it's a very interesting bug chain for us we've also have evidence of disrupting possible Russian malware campaigns and also Chinese campaigns through our program if you dig deep into affidavit paperwork for people who have recently been arrested you can kind of understand what bugs are using and who's actually killing those bugs as part of the economy now let's talk about market factors and trends for a second so now we know we can gather intelligence we have an effect on the marketplace we are able to change the way the governments are operating but can we affect the what happens to the

marketplace with various actions occur from it from the vendors we can do that by looking at the submission rates for various bug classes throughout the program so what you see here is the submission rate for Oracle Java vulnerabilities coming through our program and traditionally we have zero to five Java zero days coming through our program per quarter but all of a sudden we saw this huge spike in the fourth quarter of 2013 or 2012 now this spike corresponds to active exploitation of Java sandbox escapes in the wild and we can have researchers who are looking at those exploits reverting them and trying to find variants of these and trying to kill the bugs and submitting

them to our programs so whenever we see a spike we feel that these bugs are going to be actively exploited now what happened in the second quarter of 2012 and why did those drop off well the reason is the browser manufacturers start to implement click-to-play medications forcing people to click on Java applets to run them and as a result it was no longer a view and compromise type of situation and as a result those bugs are less interesting for people to look at so a way the researchers went nowheres another case where we have a market place affecting or a trend that affects the marketplace well it also happens when new mitigations come out so this on

the screen is the submission rate for Internet Explorer zero-day vulnerabilities into our program over the last five years and you can see again a huge spike in second quarter of 2014 and we're talking a new zero day every single day coming into our program this also corresponds to the active exploitation of use after free vulnerabilities in the wild see this time the researchers were before the act of exploitation and that when the expectation started occurred they got they tune their fosters and they got better and better and better and started submitting more and more bugs into the program which would then eventually go to Microsoft now what happened after the second quarter of 2014 well at this point Microsoft released

silently a new mitigation in the browser that most people don't know about called isolated heap and memory protection the whole point of this mitigation was to reduce to make it use after free ineffective turning what was exploitable used after freeze into null pointer dereferences which are not exploitable and this release of this mitigation had a significant effect on the marketplace immediately we saw a decrease in the number of submissions Internet Explorer Oh days into our program and most of those submissions ended up being not exploitable so we should be also thanked Microsoft for the release of that mitigation because it really affected the way that the underground and people were looking at that piece of code now

you see a significant drop-off in internet explorer submissions at the end of 2017 and that's because my edge had come out and now people were targeting edge but now what do you see you see a little bit of a spike happening in edge and Internet Explorer submissions which likely means that there is a new vector found that people are abusing and finding and we know exactly what that is which we'll talk about later now what happens when an end-of-life announcement occurs for a product you can see here these are the submission rates for Adobe Flash vulnerabilities coming into a program again we've only really had one to five every quarter but then in the middle of 2015 we saw a significant

uptick in Adobe Flash for responding again to the exploitation of Adobe Flash by exploit kids and they had moved from Oracle to Internet Explorer 2 to flash and then you see in the second quarter of 2017 a significant drop in this now this drop is because the release or Adobe basically says we're going to now we're going to end a life flash and as a result all of the submissions basically stopped people moved on to other things because they're no longer interesting they're no longer ways to do a complete compromise just by viewing a flash flash application now what happens when things go unchecked so this is our latest spike in the program back what

we're looking at is the submission rate of Adobe or basically PDF reader application zero-days coming into our program a combination of Adobe Foxit and a Microsoft Reader and you can see that researchers have moved on and are looking at new areas now right but there has been no industry check yet for these submissions to drop and as a result we believe that eventually these will actively be used in the wild traditionally the Adobe Reader vulnerabilities are things related to JavaScript inside of the adobe reader or a Foxit reader and also vulnerabilities related to image parsing so kind of classic you know exploits and vulnerabilities in these areas now let's lay all of this on top of each other and

you can see that on average we're receiving anywhere from 50 to 100 bugs per per quarter in these various products and you can actually see the rise and fall of the vulnerability classes based off of what the vendors are doing you see the rise of Java sandbox escapes and vulnerabilities coming into the program you see the industry check that by introducing click-to-play and you see those drop then researchers will convert over into browser-based vulnerabilities use after freeze because they're really easy to find and there was a bunch of them at the time I mean every time we received a new Internet Explorer vulnerability into our program they were almost automatically exploitable they would basically lead straight to

rce and and they were really really deadly you then see the the vendor release a mitigation and those kind of died off then you see researchers move over into flash vulnerabilities and you see the release of a new mitigation or basically the killing of the product completely and then as a result the flash burn abilities disappear then you see in our case another spike so something is strange going on in the in this vulnerability research space right now you're seeing a spike in NP uf reader vulnerabilities most because those are installed everywhere and and that you can exploit most of these bugs pretty easy but also you're seeing a spike in browser vulnerabilities again and this is not just on Microsoft edge

and Internet Explorer it's also on things like Apple Safari and the other browsers and if you look at our contest the individuals who are coming to our contest are exploiting the bugs that we are we are seeing come through the programs things like issues related to balance checking and type confusion in JavaScript optimization issues in the way that JavaScript arrays are implemented in the browser and also they are starting to find areas and edge cases where the mitigation that was released several years ago is not effective interior pointers and all this other stuff does allows for you to enable some of the EU's after freeze to become exploitable again so it's just interesting to see the ups and downs and

ebbs and flows of the marketplace the next thing that's really interesting for us is regulations typically we don't talk about regulations all that much but it does have an effect on what's actually going on so back in December 2013 there was the release of the loss in our arrangement which classified cyber weapons or exploits as cyber weapons or dual use technology and when it was classified as dual use technology the whole industry went up in arms and everybody was really upset that all of a sudden exploits could not be trafficked around without some sort of check from the government now the purpose of the actual regulations is important the whole idea is to prevent Western

technology from being used and sold to countries and governments that are going to use human rights that's kind of the reason that this regulation exists and that makes sense but the way that it was written was extremely vague and the way that it was written it would impact most people doing research in the industry and would also impact penetration testing companies who are trying to sell their products and it would except it would affect people in my industry who are trafficking exploits and trying to get them fixed and you can look and there's no real way to look and show the impact other than looking at the phone tone contest so the Ponto contest we

bring researchers out from around the world and we put bounty six-figure bounties exploits against the zero day vulnerabilities against the new newest mitigations and things like chrome and edge and and you know virtualization software and enterprise applications and back in 2012 prior to the release of the wasa arrangement we had people from all over the world coming into this program and submitting bugs to us when the Wassenaar arrangement came out you saw the Europeans and the people who had the Wassenaar arrangement in their country go away and as a result those exploits in the work that they were working on likely did not get fixed by the vendors which is the counter effect of what

we're trying to do with the regulations so it doesn't make any sense the way that it was written and it's not so much that they were afraid of being caught because these guys and gals who are writing these exploits and selling them to governments are coming to our contest or what not understand how to do it right what ends up happening is there's there's a misunderstanding a way that the regulation is implemented and it took them several years to actually figure it out and now they understand how to export the exploit and so they bring that to the contest now so it took them two years to adjust to this regulation and actually start bringing

exploits again to the contest and you saw this year a lot of Europeans come into the contest and all of those exploits had to go through an export control on the way out so somewhere in some paper and some government I have a signature somewhere that says I received a cyber weapon from this individual over who had come into the contest but it took some time for us to figure that out right and that is the issue with the regulations is that people don't understand how they actually work them because most of these people you know in this room and the people trafficking explains don't have lawyers but the people who are actually are selling the

government's do have lawyers and they know how to work the system and they know how to actually make it happen it's all it's really affecting as the white hat industry which kind of stinks now there's another set of regulations that have come out that most people don't know about but I'm intimately aware of which is the Chinese regulations so how many people know China regulators yes in the back all right so recently the Chinese government decided that they were going to remove Chinese researchers from all capture-the-flag competitions and competitions like pwned own effectively keeping the researchers at home now we're kind of in the same position again we were with the Wassenaar when we really didn't

understand how it was going to work when the new regulations came out you saw the Chinese researchers get scared and not wanting to participate and as a result in March of 2018 we had zero Chinese researchers at the contest now the whole point of the contest is to kill bugs and harden mitigations and we can't do that without people actually participating in the contest because most of time these people are going to do this for free they want money they want Fame that's what this is all about and so if they're afraid to actually come out and participate in the contest everybody in this room as a whole is less secure because the active owner abilities and

exploits actually do can't is possible and we can actually understand how they're working when we can actually get access to them but and and the fame and the marketing behind some of these contests is the reason that these teams exist and now there's there's kind of this misunderstanding of exactly how this is all going to go down we're in very very early stages of understanding the Chinese regulations and we'll see what happens over the next year and in the end we're trying to we're trying to kill bugs so we're going to offer the bounties no matter what it's who's going to come out you can kind of tell how these regulations actually affect the underground and affect the industry by

looking at contests like mine looking at DEFCON CTF etc so it's kind of just interesting to see how that shakes out when it's not benders actually making the implementation changes to make things harder now the conclusion most of us who work in the bounty space we have a set of goals that we're trying to try to reach we want to harden the attack surface of critical software whether it's companies that were actively paying you to run the bounty program or companies like or groups like mine that are paying for the intelligence to harden the attack surface but we want to focus our purchasing on the important things that everybody relies on operating systems browsers infrastructure software SCADA software

we have a particular interest in infrastructure software things that our servers because in reality that's what the government's are going to want to compromise the governments aren't going to compromise you know it you know client-side vulnerabilities all that much what they're going to go after is infrastructure software like routers so they can sit there in the router they can watch everything going on and as a result those vulnerabilities are extremely valuable for us to purchase we want to disrupt exploits that are being used in active attacks we can tell now from some of the leaks that we are actively having an effect and the money that's being spent on vulnerabilities is actually disrupting the way that

operations are working which is I think to be very very valuable especially now that we can't really secure the weapons that we're actively using we also want to educate regular regulators and legislators who are trying to regulate the industry for good purposes but don't understand how the industry actually works in a way to allow them to regulate it so that free trade of exploits can happen in a way that secures the ecosystem and with that thank you very much enjoy the rest of the conference you have questions I'll be around [Applause]