Das Bundesamt für Sicherheit in der Informationstechnik hat von der umstrittenen Firma Vupen nicht nur Berichte über IT-Sicherheitslücken, sondern auch Exploits gekauft. Das geht aus dem Vertrag hervor, den wir an dieser Stelle veröffentlichen. Die Bundesbehörde subventionierte damit den Millionenmarkt der Unsicherheit drei Jahre lang mit Steuergeldern.

Letzten Monat wurde bekannt, dass das Bundesamt für Sicherheit in der Informationstechnik (BSI) bis September einen Vertrag mit der französischen Firma Vupen hatte. Die französische Firma um Chaouki Bekrar forscht nach unbekannten Sicherheitslücken in beliebter Software – aber statt diese zu schließen verkauft man die Informationen an Strafverfolgungsbehörden und Geheimdienste. Diese können die Sicherheitslücken mit Exploits offensiv ausnutzen, oder mit Berichten defensiv in eigenen Systemen schließen. Bereits letztes Jahr schrieb Philipp Alvares de Souza Soares auf Zeit Online:

Branchenkenner gehen von Marktpreisen um die 100.000 US-Dollar pro Schwachstelle aus, wenn sie sich zur Attacke auf ein weitverbreitetes Programm wie beispielsweise einen Internetbrowser nutzen lässt. Der Umsatz von Vupen hat sich in den vergangenen Jahren jeweils verdoppelt. 2011 machte das junge Unternehmen bei knapp einer Million Euro Umsatz rund 415.000 Euro Gewinn.

Ein Teil dieses Geschäfts mit der Unsicherheit wird von deutschen Steuergeldern bezahlt. Unmittelbar nach der ersten Meldung haben wir den Vertrag nach Informationsfreiheitsgesetz angefragt – und nun erhalten. Wir veröffentlichen den (leicht geschwärzten) Vertrag an dieser Stelle als PDF und unter diesem Posting als Text.

Demnach unterzeichnete das BSI im März 2011 einen Geheimhaltungsvertrag von Vupen, erhielt im Juli 2011 ein Angebot und beide unterzeichneten im November 2011 einen Vertrag. Vertragsgegenstand ist das Programm Threat Protection Program, in der Ausführung „Comprehensive Level“. Pro Jahr erwirbt das BSI 50 „Credits“, die es gegen Berichte über Sicherheitslücken eintauschen kann. Weitere Details stehen weder im Vertrag noch auf der Webseite von Vupen, sondern werden nur an Unternehmen, Staaten oder andere zahlungskräftige Organisation vergeben. Glücklicherweise findet sich in den Spy Files, die WikiLeaks vor drei Jahren veröffentlicht, eine Produkt-Broschüre von Vupen dazu:

Während die „Grundstufe“ eine „eingehende technische Analyse“ der Schwachstelle und „Schutzmaßnahmen/Schadensbegrenzung“ enthält, bietet das „erweiterte Level“ auch Code, der das betreffende Programm zum Absturz bringt. Der „umfassende Level“, den das BSI gekauft hat, enthält darüber hinaus sogar noch einen Exploit zur Ausführung von Schadcode. Das kann sinnvoll sein, weil Sicherheitslücken leider viel zu oft herunter gespielt und nicht ernst genug genommen werden.

Pikant ist das aber dennoch, denn das BSI behauptet, diese Informationen nur defensiv zu nutzen:

Zweck dieses Vertrages war ausschließlich der Schutz der Regierungsnetze. Das BSI hat die durch Vupen erlangten Erkenntnisse nicht an andere Behörden und Einrichtungen weitergegeben.

Zwar hat das BSI nicht explizit die teureren Exploits für das aktive Ausnutzen dieser Sicherheitslücken gekauft, aber das verkauft Vupen laut Eigenaussage auch nur an Strafverfolgungsbehörden und Geheimdienste – was das Bundesamt nicht ist. Das BSI hat damit den Rahmen, was es legal von Vupen kaufen kann, ziemlich ausgereizt. Gute Programmierer können aus den gelieferten Konzept-Exploits auch Exploits für andere Zwecke machen – wenn man es denn will. Schon vor einem Monat schrieben wir:

Es ist also möglich, dass das BSI daher tatsächlich nur versucht, Regierungsnetze vor diesen Angriffen zu schützen. Ob man das glaubt, muss – vor dem Hintergrund der Geschichte des BSI und der Glaubwürdigkeit geheimer Organisationen – jede/r selbst einschätzen.

Darüber hinaus hat Vupen dem BSI auch das Programm Binary Analysis & Exploits angeboten, das auch die NSA gekauft hat. Alleine letztes Jahr hat die NSA über 25 Millionen US-Dollar für Sicherheitslücken und Exploits ausgegeben. Vupen arbeitet zudem auch mit anderen Trojaner-Herstellern wie Gamma FinFisher zusammen – ebenjener Firma, von der auch das BKA einen Staatstrojaner gekauft hat und derzeit prüft. Und auch der BND hat gerade „4,5 Millionen Euro eingeplant, um auf dem grauen Markt Informationen über Software-Schwachstellen einzukaufen„. Von welchem Hersteller, ist leider noch nicht öffentlich bekannt.

Auch zu unseren weiteren Fragen offenbart der Vertrag leider keine neuen Details:

Wir haben das BSI auch gefragt, von wann bis wann der Vertrag lief, wie viel Geld dafür ausgegeben wurde und warum es den Vertrag jetzt nicht mehr gibt. Die Antwort: „zu Vertragsdetails äußern wir uns nicht.“

Wie immer nehmen wir gerne weitere Informationen über die üblichen Kanäle entgegen.

Hier die Vertragsunterlagen:

Quote

NUMBER: [redacted]

DATE: July 7, 2011

SIRET n° 47850212300043

APE N° 6201Z

VAT Reg. No: FR83478502123

Federal Office for Information Security

Godesberger Allee 185

53175 Bonn

Germany

DESCRIPTION

VUPEN Threat Protection – Comprehensive Level

12 Month / 50 Credits

PRICE: [redacted]

Complementary access:

VUPEN BAE (Binary Analysis & Exploits)

PRICE: offered

Payment term : at subscription

TOTAL AMOUNT: [redacted]

% VAT: [redacted]

TOTAL QUOTE: [redacted]

Please sign this quote and return to VUPEN Security

By fax to: [redacted]

Or by mail to:

VUPEN Security

Cap Omega. — CS 39521

Rond Point Benjamin Franklin

34960 – Montpellier Cedex 2 (France)

Full. Name:

VAT No:

Sign Here:

Date:

VUPEN Security

Cap Omega — CS 39521 — Rond Paint Benjamin Franklin — 34960 MONTPELUER CEDEX 2

SA au capital de 69 110 € — RCS MONTPELLIER B 478502123

Site web : http://www.vupen.com – Email : sales@vupen.com

Auftrags-Nr. 37906/2011

Customer Information

Organization Name: BSI

Legal Status: GOVERNMENTAL ORGANIZATION

Registration number:

Place of Registration:

Head Office Address: GODERSBERGER ALLEE 185-189

City / State: BONN

Postal Code: 53175

Country: GERMANY

Authorized Representative:

Name:

Job:

Customer Contact Information

Contact Name: [redacted]

Job: [redacted]

Email Address: [redacted]

Phone Number: [redacted]

Fax Number: [redacted]

Address: GODERSBERGER ALLEE 185-189

City / State: BONN

Postal Code: 53175

Country: GERMANY

To subscribe to VUPEN Vulnerability Research & Intelligence Service, please print two copies, fill out, sign and send them by mail to

VUPEN Security

Cap Omega — CS 39521

Rond Point Benjamin Franklin

34960 MONTPELLIER CEDEX 2

FRANCE

End User License Agreement

The following terms and conditions of this End User license Agreement („Agreement“) govern the use by the organization signing below („Customer“) of the service „VUPEN Vulnerability Research & Intelligence Service“, including its related documentation („Documentation“) provided in connection with said service (collectively, the „Intelligence“) that VUPEN Security, a French company registered with the „Registre du Commerce et des Sociétés“ of Montpellier under the number B 478502123 and whose head office’s address is stated on page 1, may provide or make available to Customer as part of the Intelligence.

This Agreement further governs the use by Customer of any software, binary code, source code, exploit, proof-of-concept, analysis, reports, media, and printed materials provided under this service. For the purpose of this Agreement, any media, reports and printed materials provided under this optional service, shall be deemed as part of the „Intelligence“.

IMPORTANT: The Intelligence and Documentation are designed to allow Customer to keep ahead of the latest software vulnerabilities that could potentially affect Customer’s environment, by providing timely, actionable information and guidance to help mitigate risks from unknown vulnerabilities or exploits. Under this Agreement, VUPEN Security does not provide any service relating to prior analysis of Customer’s environment to evaluate potential adverse consequences on said Customer’s environment which could result from the performance or use of said intelligence nor any assistance is handling environment safety with respect of the same. Customer declares that he is fully aware that the protection of his assets and data is part of its own duty.

1. LICENSE GRANT.

Subject to required annual license fees payment by Customer, VUPEN Security grants to Customer a personal, non-transferable non-exclusive and non-sublicensable worldwide license to use the Intelligence for its own internal environment security protection and defense needs as described in the Documentation, in accordance with the terms and conditions set forth in this Agreement. Under the same conditions, this Agreement further grants Customer the right to use Documentation that VUPEN Security may release and provide to Customer as part of the Intelligence. VUPEN Security makes available the Intelligence and Documentation to Customer on VUPEN Security dedicated platform stated in the order, and grants to Customer the right to modify provided source or binary code solely for the purpose of exercising its limited license rights hereunder.

2. RESERVATION OF RIGHTS AND RESTRICTIONS ON USE.

The Intelligence and Documentation are protected by intellectual property laws and international treaty provisions. Customer does not acquire, and VUPEN Security hereby reserves, any and all rights to the Intelligence and Documentation, either in object and source code, except as expressly set forth in this Agreement. Customer acknowledges that no title or ownership to the intellectual property in the Intelligence and Documentation, both in object and source code, is transferred to Customer.

Customer agrees that Customer will not attempt to rent, lease, sub-license, loan, auction, deal in, create derivative works of or merge the Intelligence and/or Documentation, in whole or in part, both in object and source code, use the Intelligence and/or the Documentation to provide Services to third parties, or make available in whatever form or format parts of the Intelligence and/or the Documentation, or authorize any third party to do any of the foregoing or remove any proprietary notice, labels or marks on the Intelligence and/or the Documentation.

Except as provided herein, Customer shall further refrain from using, modifying or adapting the Intelligence and/or the Documentation for any other purpose than as provided under this Agreement.

Customer shall ensure that all authorized users use the Intelligence and the Documentation with in strict compliance with the terms and conditions of this Agreement.

Customer and VUPEN Security agree to keep confidential all data and information provided or shared as part of this agreement in accordance with the signed Non-Disclosure Agreement.

3. BINARY ANALYSIS, EXPLOIT AND PROOF-OF-CONCEPT CODE / PASSWORDS CUSTODY.

Regarding more particularly the binary analysis, exploit or proof-of concept codes, Customer declares being fully aware that the Intelligence and Documentation constitute a valuable asset of VUPEN Security with regards to related research efforts and investments.

Customer shall be deemed to have all duties of custodian of the binary analysis, exploit or proof-of concept codes, including but not limited to, taking all measure in order to ensure strict confidentiality as well as physical and logical security of said Intelligence and Documentation, to avoid any access and/or use of said Intelligence and Documentation by any third party and/or outside the scope of this Agreement. Customer shall strictly comply with any and all VUPEN Security instructions in respect of the Intelligence and Documentation safety, return and/or destruction.

Customer shall in the same manner be fully responsible for maintaining confidentiality and security of any assigned password provided by VUPEN Security for the use of the Intelligence and/or the Documentation, as well as for all activities that may occur under said password.

Customer shall immediately inform VUPEN Security of any unauthorized access to or use of the Intelligence, Documentation, binary analysis, exploits, proof-of concept codes, passwords and more generally the Intelligence or Documentation of which Customer becomes aware.

4. INTELLIGENCE AND RESEARCH REPORTS

Under this Agreement and subject to annual license fee payment by Customer, VUPEN Security will make available to Customer, during subscription, a specific number of Intelligence and Documentation reports. The number of Intelligence and Documentation reports that will be downloaded by Customer during the subscription period shall not exceed the maximum number of authorized reports defined in the invoice issued by VUPEN Security.

Customer agrees that VUPEN Security will focus on actionable research defining new vulnerabilities uncovered in prominent enterprise-level software and infrastructure components. VUPEN Security defines actionable as anything representing a significant threat of damage or compromise to its customers and/or the general public, thus requiring protective action. VUPEN Security defines prominent software and components as anything known by VUPEN Security to be in general use by its customers and/or known to be in widespread public use.

VUPEN Security will have sole discretion to determine the list of software and components to be analyzed for new security vulnerabilities.

5. TERM / TERMINATION.

Term. The initial term of this Agreement shall commence on the date of fees payment and shall continue for a 12-month period. This Agreement shall be automatically renewed for successive 12 month periods, each party reserving the right any oppose any such renewals by 3 months notice addressed to the other party by registered letter with acknowledgement of receipt.

VUPEN Security may, by written notice to Customer, terminate this Agreement and all rights granted hereunder if any of the following events occur: (i) Customer fails to pay any amount due to VUPEN Security within thirty (30) days after VUPEN Security gives Customer written notice of such non-payment, or (ii) Customer is in breach of an obligation under the Agreement in respect of VUPEN Security intellectual property rights or confidential information which, if capable of cure, is not cured within fifteen (15) days after VUPEN Security gives Customer written notice of such breach.

Duties Upon Termination. Customer will remain obligated for the payment of all fees specified in all orders submitted to VUPEN Security prior to termination, provided that if such termination arises from VUPEN Security’s breach of a material obligation hereunder that VUPEN Security has failed to cure within a reasonable time after written notice from Customer, then, the fees payable by Customer shall be subject to all rights and remedies which Customer may have as a result of VUPEN Security. Upon termination, Customer will additionally cease all use of the Intelligence and Documentation licensed hereunder and will promptly destroy all copies of such Intelligence and Documentation in its possession or control.

6. NO WARRANTY

VUPEN SECURITY EXCLUDES ANY WARRANTY THAT THE INTELLIGENCE OR DOCUMENTATION ARE ERROR FREE OR WILL PROTECT FROM VULNERABILITY OR MALICIOUS CODE THREATS OR THAT USE OF THE INTELLIGENCE OR DOCUMENTATION WILL ALLOW CUSTOMER TO KEEP ITS NETWORK OR ENVIRONMENT FREE FROM ATTACKS OR MALICIOUS CODE, OR SAFE FROM INTRUSIONS OR OTHER SECURITY BREACHES. VUPEN SECURITY DISCLAIMS ALL WARRANTIES, TERMS AND CONDITIONS WITH RESPECT TO THE INTELLIGENCE OR DOCUMENTATION AND NON-INFRINGEMENT OF THIRD PARTY RIGHTS, INCLUDING THIRD PARTY INFRINGEMENT INDEMNIFICATION.

7. LIMITATION OF LIABILITY

TO THE EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL VUPEN SECURITY BE LIABLE TO CUSTOMER FOR ANY INDIRECT DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF ANTICIPATED BENEFITS OR ANY OTHER PECUNIARY LOSS) ARISING OUT OF THIS AGREEMENT OR THE DELIVERY, PERFORMANCE OR USE OF THE INTELLIGENCE OR DOCUMENTATION.

CUSTOMER EXPRESSLY ACKNOWLEDGES AND AGREES THAT IT IS SOLELY RESPONSIBLE FOR THE PROPER SECURITY OF ITS INFORMATION TECHNOLOGY ENVIRONMENT PRIOR TO AND AFTER THE USE OF THE INTELLIGENCE OR DOCUMENTATION.

IN NO EVENT WILL VUPEN SECURITY’S LIABILITY FOR ANY CLAIM EXCEED THE AMOUNT OF THE FEE-PAID BY CUSTOMER FOR THE INTELLIGENCE OR DOCUMENTATION.

EXCEPT FOR ACTIONS FOR NON-PAYMENT OR BREACH OR MISUSE OF EITHER PARTY’S INTELLECTUAL PROPERTY RIGHTS, NO ACTION (REGARDLESS OF FORM) ARISING OUT OF THIS AGREEMENT MAY BE COMMENCED BY EITHER PARTY MORE THAN ONE (1) YEAR AFTER THE CAUSE OF ACTION HAS ACCRUED.

8. ENTIRE AGREEMENT, SEVERABILITY AND ASSIGNABILITY

This Agreement constitutes the entire agreement between the parties with respect to the use of the Intelligence and Documentation and supersedes any conﬂicting or additional terms contained in any order or elsewhere, all of which terms are excluded.

If a court or other competent tribunal in any jurisdiction finds any provision of this Agreement invalid, such invalidity shall not affect the remaining provisions of the Agreement, which shall remain in full force and effect.

VUPEN Security may assign its rights and obligations to any third party, provided that no such assignment shall relieve said third party of its obligations under this Agreement. Customer may not assign any right or obligation under this Agreement except with VUPEN Security’s prior written consent.

9. GOVERNING LAW AND FORUM

This Agreement and any dispute arising out of or in connection with this Agreement shall be governed by the laws of Germany. The courts in Bonn (Germany) shall have exclusive jurisdiction over any dispute arising out of or in connection with this Agreement, except that VUPEN Security may obtain preliminary or permanent injunctive relief from any court of competent jurisdiction worldwide.

Licensor: VUPEN Security

Name: [redacted]

Title: [redacted]

Date: [redacted]

Sign here: [redacted]

Customer: BSI, Bonn

Name: [redacted]

Title:

Date: 28.11.2011

Sign here: [redacted]

VUPEN security

This non-disclosure agreement is entered into this 17 / Mar / 2011 by and between BSI (hereinafter „Recipient“), with offices at BONN, GERMANY and VUPEN Security, with offices at Montpeilier – France (hereinafter „Discloser“).

WHEREAS Discloser possesses information relating to software vulnerabilities, security research, and exploits and proof-of—concept codes that are confidential and proprietary to the Discloser (hereinafter „Confidential information“); and WHEREAS the Recipient is willing to receive disclosure of the Confidential information pursuant to the terms of this agreement for the purpose of internal review; NOW THEREFORE, in consideration for the mutual undertakings of the Discloser and the Recipient under this agreement, the parties agree to the below terms as follows:

1. Disclosure. The Discloser agrees to disclose, and the Receiver agrees to receive the Confidential Information.

2. Confidentiality.

2.1 No Use. The Recipient agrees not to use the Confidential information in any way or manufacture or test any product embodying Confidential information, except for the purpose authorized by the Discloser.

2.2 No Disclosure. The Recipient agrees to prevent and protect the Confidential Information, or any part thereof. from disclosure to any person other than the Recipient’s employees that have a need for disclosure in connection with the Recipient’s authorized use of the Confidential information.

2.3 Protection of Secrecy. The Recipient agrees to protect the secrecy of the Confidential Information and to prevent the Confidential Information from falling into the public domain or into the possession of unauthorized persons.

3. Ownership of Confidential Information. The Recipient agrees that all Confidential information shall remain the property of Discloser and that the Discloser may use such Confidential information for any purpose without obligation to Recipient.

Nothing contained herein shall be construed as granting or implying to the Recipient any transfer of rights, any patents, or any other intellectual property pertaining to the Confidential Information.

4. Term and Termination. This agreement shall be continuing until the Confidential information disclosed to the Recipient is no longer confidential. The rights and obligations of all parties shall survive the termination of this agreement for a period of five (5) years.

5. Survival of Rights and Obligations. This agreement shall be binding upon, inure to the benefit of, and be enforceable by (a) the Discloser, its successors and assignees; and (b) the Recipient, its successors and assignees.

IN WITNESS WHEREOF, the parties have executed this agreement effective as of the date first written above.

Recipient Organization Name: FEDERAL OFFICE FOR INFORMATION SECURITY (BSI)

Print Name: [redacted]

Title: [redacted]

Signed: [redacted]

Date: 17-Mar-2011