This week, an exploit was publicly distributed that could break into the computers of those using the Tor Browser or Firefox. The Tor Project and Mozilla patched the underlying vulnerability on Wednesday.
One research company gave details of the exploit method used to a defensive cybersecurity firm last year so it could protect its own clients’ systems. In turn, the exploit research company went on to sell details of the recent Firefox vulnerability to another customer for offensive purposes this year, according to two sources.
The case highlights the often antithetical relationship between companies that research and develop exploits, and those who maintain the affected software. But it also shows an instance of a company selling related exploit information to both defensive and offensive customers.
Back in December 2015, cybersecurity firm Fortinet announced it had added an intrusion detection system (IDS) signature for a Firefox zero-day; that is, a security issue unknown to Mozilla which develops Firefox. IDS signatures are used to detect particular exploits or types of attack.