According to their website, they provide 'offensive exploit services' to governments and intelligence services. So possibly, depending on wether you view those people as bad people.
They even admit it's not just governments they sell to: VUPEN customers include worldwide governments and major corporations in finance, technology and manufacturing. [http://www.vupen.com/english/company.php] although their continued use of weasel words does stop just short of admitting that they're enabling industrial espionage.
VUPEN's offensive IT intrusion solutions and government grade exploits enable the Intelligence community and government agencies to achieve their lawful intercept missions using VUPEN's industry-recognized vulnerability research and intelligence.
I am trying to imagine a situation where _lawfuly_ government agencies need to break into someones IE. Any ideas?
hmmm.. I think law enforcement agencies need to stay in accordance with the law even with their "discovery". Breaking into someone's IE or exploiting vulnerabilities in order to get information otherwise you wouldn't be able to get falls under breaking into someones "property", I think, even if its "just" an Internet browser.
Therefore, you "legitimate" search warrant will be thrown out of window by a judge, and classified as the Fruit of the poisonous tree.
I thought that too, at first, but it seemed to blatantly illegal to believe. Going by their site, it's mostly for government agencies against other agencies?[1] I'm not proficient enough at law to comment on the legalities of it.
Another possibility I had in mind is that they want to get paid by people wanting to fix this vulnerability on their systems. eg, company X will have to come to them if they want their IE browsers to receive the patch against this bug.
I'm not proficient at law either, but I don't think selling exploits is illegal. Unauthorized computer access is, but as long as they aren't doing that access themselves, I think they're in the clear. The analogy I first think of would be a gun store owner not being responsible for the crimes his customers commit. Although perhaps he'd be an accessory if he knew they had criminal intentions? I'm not sure.
As having personally worked to tell the IE team about a severe bug (crashie.com), I can tell you that their process, community and bureaucracy are by far the worst part of Internet Explorer. You'll get ignored, told that the problem is with your code, mocked in the forums, and then ultimately told the problem isn't a big enough deal (or in my case, too complicated) to fix.
The only way to get the IE team to fix issues is make a public spectacle like Vupen did. And I completely get only exposing bugs when there is a profit to be made, because any other route is counterproductive.
There is a difference between security and non-security bugs. Null pointer dereferences and hangs are not security bugs. Security bugs you are supposed to report to MSRC. Non-security bugs typically has to wait until next version of IE to fix.
That is assuming that it is easy to tell the difference between security and non-security bugs. Null pointer dereferences can and have been exploited to escape security sandboxes. I read about an interesting one a few years in flash. unfortunately all i can find now are secondary sources (http://www.zdnet.com/blog/security/mark-dowds-null-pointer-d...).
Its really great to see that someone is stepping into the public eye and disclosing just how poor protection an average PC provides. Bringing attention to this problem could really improve privacy for your average Joe.
I'm trying to think of why else they wouldn't disclose the protected mode bypass error, but instead keep it "private for our customers".