From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Vupen Security
Société anonyme
Founded2004 (2004)
FounderChaouki Bekrar
DefunctMay 5, 2015 (2015-05-05)[1]
Area served
Information security, Espionage

Vupen Security was a French information security company founded in 2004 and based in Montpellier with a U.S. branch based in Annapolis, Maryland. Its specialty was in discovering zero-day vulnerabilities in software from major vendors in order to sell them to law enforcement and intelligence agencies which use them to achieve both defensive and offensive cyber-operations.[2] Vupen ceased trading in 2015, and the founders created a new company Zerodium.


In 2011, 2012, 2013 and 2014 Vupen won first prize in the hacking contest Pwn2Own, most notably in 2012 by exploiting a bug in Google Chrome. Their decision not to reveal the details of the vulnerability to Google, but rather to sell them, was controversial.[3] Unlike 2012, during Pwn2Own 2014, Vupen decided to reveal to the affected vendors, including Google, all its exploits and technical details regarding the discovered vulnerabilities, which led to the release of various security updates from Adobe, Microsoft, Apple, Mozilla, and Google to address the reported flaws.[4]

According to the French registrar of companies,[5] Vupen earned a net profit of €1,283,000 in 2014. Some years ago Vupen was still providing information about vulnerabilities in software for free, but then decided to earn money with its services. "The software companies had their chance", said Vupen-founder Chaouki Bekrar according to the article, "now it's too late".[6] On 15 September 2013, it was revealed that the NSA was a client of Vupen and had a subscription to its exploit service.[7] On 9 November 2014, the German magazine Der Spiegel reported that the German information security agency BSI, tasked with the protection of federal government networks, was also a client of Vupen.[8] On 22 July 2015, it was revealed that Vupen provided exploits to Hacking Team between 2010 and 2011.[9]

On 5 May 2015, Vupen headquarters filed documents ceasing its operations.[1]


On 23 July 2015, Vupen's founders launched a new US cybersecurity company named Zerodium and having a different business model as it acquires exclusive zero-day discoveries from independent researchers and reports them, along with protective measures and security recommendations, to its corporate and government clients.[10]


  1. ^ a b Registre des sociétés,
  2. ^ Andy Greenberg (21 March 2012). "Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees)". Forbes.
  3. ^ Kim Zetter (3 September 2012). "How to Pwn the Pwn2Own Contest". Wired.
  4. ^ Google (14 March 2014). "Chrome Stable Channel Update".
  5. ^ Registre des sociétés, Infogreffe
  6. ^ Philipp Alvares de Souza Soares: Cyberspionage: Durch die Hintertuer, in: Die Zeit October 2nd 2013.
  7. ^ NSA Contracted With Zero-Day Vendor Vupen, Darkreading
  8. ^ BND will Informationen ueber Software-Sicherheitsluecken einkaufen, in: Der Spiegel November 9th 2014.
  9. ^ Hacking Team: a zero-day market case study, Vlad Tsyrklevich's blog
  10. ^ Fisher, Dennis (July 24, 2015). "VUPEN Founder Launches New Zero-Day Acquisition Firm Zerodium". Retrieved November 3, 2015.