Following reports that the company had been breached by hackers who stole information on zero-day vulnerabilities, VUPEN Security CEO Chaouki Bekrar recently told Computerworld's Jaikumar Vijayan that no breach had occurred.
"It's unclear how speculation of the breach started," Vijayan writes. "Many reports pointed to a brief post by security blogger Kevin Townsend that talked about VUPEN being hacked and data on the zero-day flaws leaked. The report was picked up by other blogs and tweeted widely on Twitter."
Yesterday, Bekrar following up by tweeting, "To make things very clear, the imaginary compromise story is just bullsh*t, nothing happend at all. Sorry to the trollers :-]"
"If a company like VUPEN had been hacked, it would indeed be big news," notes CSO Online's John E. Dunn. "It is a research house that makes money by discovering valuable vulnerabilities, ideally unpatched 'zero days', which are then revealed to paying customers. Such data is dangerous enough that its theft and possible sudden release on this scale would be unprecedented. VUPEN is most famous for its impressive compromises of Google's Chrome browser during the 'Pwnium' open hacking event. Its non-disclosure modus operandi remains controversial in some quarters."
"Some software vendors have been quite vocal in their criticism of what VUPEN does and how the company conducts its business," writes Threatpost's Dennis Fisher. "However, it's somewhat difficult -- but not impossible -- to imagine a major software vendor starting a disinformation campaign against VUPEN, just to try and discredit the company. VUPEN is far from the only company in the business of selling bugs; it's just the most vocal and visible one. If VUPEN were to go away tomorrow, there would be plenty of competition to pick up the slack, and companies such as Google, Microsoft and Apple, whose products are the target of the bugs VUPEN sells, would still have vulnerabilities and there still would be buyers for them."