In the Navy, the Village People sang, you can sail the seven seas and live a life of ease. And now you can also work with third parties to identify and exploit 0-day flaws in common commercial software.
That Naval job is revealed in a fascinating solicitation for a provider capable of reporting new flaws and developing weaponised software to exploit them.
“This is a requirement to have access to vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied upon commercial software,” the solicitation reads.
The document goes on to say it wants “... a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old).” Quarterly updates are sought and should “include intelligence and exploits affecting widely used software.”
And here's the nasty part:
“The government will select from the supplied list and direct development of exploit binaries.”
Whoever gets the gig will also be required to “... develop exploits for future released Common Vulnerabilities and Exposures.”
The Navy's definition of “ widely used software” includes “Microsoft, Adobe, JAVA, EMC, Novell, IBM, Android, Apple, CISCO IOS, Linksys WRT, and Linux, and all others.”
“They want you | They want you | They want you as a new recruit” if you're a small business willing to do the job for a year, with the prospect of a further three years' work if you're good at it.
That the US Navy is interested in exploiting 0-days should come as no surprise to anyone, so while this solicitation looks a bit sinister it is surely business as usual, and good business for whoever gets the gig. ®