The Zero-Day Buyer Nobody Vetted

Authors: Cloud Security Alliance AI Safety Initiative
Published: 2026-07-14

Categories: Third-Party & Vendor Risk
Download PDF

Key Takeaways

Investigative reporting from Krebs on Security in July 2026 identified the operators behind IRIS C2, a Virginia-registered offensive-security startup soliciting zero-day vulnerabilities with advertised payouts as high as $7 million, as Jacob Wohl and Jack Burkman, two men with extensive documented histories of securities fraud, telecommunications fraud, and coordinated election-disinformation schemes [1]. Neither man has a public track record in vulnerability research, exploit development, or lawful-intercept brokerage; their prior venture, an AI-lobbying platform called LobbyMatic, was run under fabricated identities, and its claimed corporate clients were never independently confirmed [1][2]. IRIS C2 nonetheless built a following of several thousand people on social media by posting about vulnerabilities and AI-driven exploitation, and its principal repeatedly referenced unspecified federal government work while declining to name any agency or contract [1]. The case does not turn on whether IRIS C2’s technical claims are true or false — that remains unverified — but on the fact that nothing in the exploit-acquisition market’s current structure would have caught the problem earlier, regardless of the answer. Security researchers, enterprise vulnerability-disclosure programs, and any government office that might plausibly transact with a self-described exploit broker have no shared, low-cost way to check whether the entity on the other side of a submission has the legal standing, technical capability, or basic integrity to be trusted with a working zero-day. This research note treats IRIS C2 as a case study in that structural gap rather than as a story about two individuals, and connects it to CSA’s existing standards-based vendor-assurance work as a starting point for closing it.

Background

The market for zero-day exploits has long operated as a loosely regulated gray market sitting between fully underground criminal forums and a small set of established brokers, chiefly Zerodium and Crowdfense, that claim to sell exclusively to vetted government and allied-nation clients [3]. Crowdfense has publicly acknowledged that vetting the buyer, not the exploit, is “the most delicate part” of its business, and has floated the idea of eventually publishing formal customer-vetting standards, an implicit admission that no such shared standard currently exists across the industry [4]. Zerodium’s own public positioning makes a similar claim: reporting on the firm and its predecessor has described a stated policy of selling strictly to government and law-enforcement customers in non-sanctioned countries, but Zerodium does not publish its vetting criteria or client list, leaving outside observers unable to independently confirm the claim [5]. On the government side, the United States manages the disposition of vulnerabilities it acquires or discovers through the Vulnerabilities Equities Process (VEP), a National Security Agency-administered mechanism for weighing whether a given flaw should be disclosed to the affected vendor or retained for intelligence and offensive use [6]. The VEP governs what the government does with a vulnerability once it has one; it does not govern, and was never designed to govern, whether the vendor or broker the government acquired that vulnerability from is itself legitimate, competently run, or free of a disqualifying criminal history.

Export-control regimes add a second, adjacent layer of scrutiny that is also not built for this problem. The Wassenaar Arrangement’s 2013 amendments placed “intrusion software” and related surveillance technologies under dual-use export controls, aiming to prevent Western-origin hacking tools from reaching governments implicated in human-rights abuses [7]. That framework constrains where a finished exploit or intrusion tool can be shipped once it exists and once a seller is identified as being within a Wassenaar-participating jurisdiction; it says nothing about whether the seller soliciting submissions from independent researchers in the first place is a credible commercial or government counterparty. IRIS C2 falls into exactly this seam. It is a Virginia-registered entity operated through Calvexa Group LLC, at an address also tied to one of the founder’s existing lobbying business, and it does not appear in available public records as holding an active federal contract despite its principal’s repeated, unspecific references to government work [1][2]. Based on the mechanisms reviewed above, no vetting layer in the current market — not the self-policing of established brokers, not the VEP, not export controls — appears designed to evaluate a new entrant like this before it began publicly soliciting exploits from researchers.

Security Analysis

The accountability gap this case exposes operates on two sides of the same transaction, and both matter independently of whether IRIS C2 ever actually pays for or resells a working exploit. On the supply side, a security researcher deciding whether to submit a zero-day to IRIS C2 in exchange for a six- or seven-figure payout has essentially no independent way to confirm who receives that exploit, how it will be used, whether it will be resold to a third party, or whether the buyer has the operational security to prevent the vulnerability from leaking or being independently rediscovered by a hostile actor before the affected vendor can patch it. Established brokers at least offer a track record and, in Crowdfense’s case, an acknowledgment that buyer vetting is a discipline they are actively developing; IRIS C2 offers neither, and its principals’ documented history of operating prior ventures under invented personas is a direct, material reason to distrust any claim about downstream buyer vetting that cannot be independently verified [1][2]. A researcher who might otherwise responsibly disclose a vulnerability to an affected vendor, or route it through a recognized bug-bounty platform, faces a genuine incentive problem when a broker dangles a payout an order of magnitude larger than most bounty programs, with no external body positioned to tell that researcher whether the broker is what it claims to be.

On the demand side, any government office, contractor, or enterprise vulnerability-management program considering IRIS C2 as a counterparty faces the mirror-image problem: there is no standard vendor-assurance artifact — no attestation, no third-party audit, no registry entry — that such an office could point to as evidence of having performed reasonable diligence before transacting with a self-described exploit broker. This is not unique to the offensive-security space; it is a closely analogous problem to the one CSA and the National Technology Security Coalition identified in 2018 in the broader cloud-vendor context, where organizations relied on proprietary, one-off vendor questionnaires instead of standards-based assurance mechanisms, producing inconsistent, hard-to-compare, and easily gamed vetting outcomes [8]. The exploit-acquisition market has, if anything, a weaker baseline than the cloud-vendor market that motivated that 2018 warning, because there is no equivalent of a STAR Registry, a published control framework, or a common assessment questionnaire that any prospective buyer or researcher-seller could consult. The absence is compounded by the secrecy that legitimately characterizes this market: unlike cloud vendors, exploit brokers cannot publish detailed operational documentation without undermining the security value of the products they broker, which makes a lightweight, standards-referenced attestation model — rather than full public transparency — the more realistic target for closing the gap.

A further complication is that IRIS C2’s public conduct inverts the pattern legitimate players in this market typically follow. Krebs’s reporting notes that established, credible brokers and contractors in the offensive-security space tend to operate with deliberate discretion, avoiding public recruitment campaigns and unverifiable claims of government relationships, precisely because loud, unverifiable marketing invites the kind of scrutiny that damages trust with the government and enterprise clients such firms actually depend on [1]. IRIS C2’s public, high-volume social-media recruitment and its principal’s pattern of invoking unnamed federal contracts without evidence are, by the reporting’s own account, atypical of how legitimate actors in this space behave — which makes the case useful precisely because it is an outlier, not because it demonstrates that the whole market lacks scrutiny. It illustrates what an unvetted entrant can attempt to do in the absence of any structural check, and the ease with which that entrant could accumulate a public following and market presence before independent journalism, rather than any market or governmental mechanism, surfaced the operators’ backgrounds.

Recommendations

Immediate Actions

Security researchers who have submitted, or are considering submitting, vulnerability information to IRIS C2 or similarly unverified brokers should treat the absence of any independently verifiable client-vetting practice, corporate history, or named government relationship as a disqualifying signal on its own, separate from any assessment of the technical legitimacy of the platform. Organizations operating vulnerability-disclosure or bug-bounty programs should review whether their own program terms explicitly address researcher submissions to third-party brokers, since a researcher who discovers a vulnerability in an organization’s product may be weighing a broker payout against responsible disclosure to that same organization. Enterprises and government offices that have had any contact with IRIS C2, including exploratory conversations about services or contracts, should document that contact and evaluate it against their existing third-party risk-management procedures rather than treating unverified claims of prior government work as a substitute for diligence.

Short-Term Mitigations

Organizations that engage with exploit brokers, offensive-security vendors, or gray-market vulnerability acquisition programs as a matter of routine business — including defense contractors, incident-response firms with red-team arms, and government cybersecurity offices — should adopt a standards-based vendor-assessment approach for this category of counterparty rather than relying on informal reputation or unverifiable self-reported claims. CSA’s long-standing guidance on replacing proprietary, ad hoc vendor questionnaires with standardized, comparable assessment frameworks was written for the cloud-services context, but the underlying logic transfers directly: a common set of questions, drawing on CCM/AICM-style control categories and covering corporate legal standing, beneficial ownership, prior business history, client-vetting methodology, and incident history, would let any prospective buyer or research partner evaluate a broker like IRIS C2 against a consistent baseline rather than each having to independently investigate from scratch [8]. Bug-bounty platforms and vulnerability-coordination bodies should consider whether to publish guidance or warnings when a broker’s public conduct — unverified government-relationship claims, absence of a corporate or technical track record, principals with disqualifying legal histories — falls outside the norms the rest of the market follows.

Strategic Considerations

The IRIS C2 case is a useful forcing function for a conversation the exploit-acquisition market has deferred for years: whether the current combination of broker self-policing, the government’s internal VEP, and export-control regimes is sufficient to prevent unqualified or bad-faith entrants from operating in a space where the product being brokered is, by definition, a capability to compromise software used at scale. None of those three mechanisms was designed to answer the specific question a researcher or buyer needs answered before a transaction: is this particular counterparty who and what it claims to be? Closing that gap does not require full transparency, which would undermine the operational security legitimate brokers and their government clients depend on; it requires a narrower, standards-referenced assurance mechanism — closer to a STAR-style attestation, referring to CSA’s Security, Trust, Assurance, and Risk (STAR) Registry, than a public audit — that a broker could satisfy without disclosing sensitive client or capability details. CSA’s AI Controls Matrix (AICM) v1.1, in its Supply Chain Management, Transparency, & Accountability domain, already establishes the general pattern of standards-based, evidence-backed vendor evaluation that this market lacks; extending that pattern, or a purpose-built analogue, to cover exploit brokers and offensive-security vendors specifically would give researchers, enterprises, and government offices alike a shared reference point that does not currently exist [9].

CSA Resource Alignment

This case is fundamentally a vendor-assurance failure, and CSA’s existing standards-based assurance work is the most directly relevant body of prior guidance, even though it was written for a different vendor category. CSA and the National Technology Security Coalition’s Streamlining Vendor IT Security and Risk Assessments argued that proprietary, one-off vendor questionnaires produce inconsistent and easily gamed vetting outcomes, and advocated for standardized, comparable assessment frameworks in their place [8]. The exploit-acquisition market IRIS C2 operates in has no equivalent standardized framework at all — not even the informal, proprietary questionnaires that paper’s authors criticized as insufficient in the cloud-services context — which makes the paper’s core argument, that ad hoc vetting does not scale to a market with real counterparty risk, arguably even more applicable here than in its original domain. Organizations evaluating any offensive-security or exploit-brokerage counterparty should treat that paper’s case for standardized, evidence-based assurance as the template for what this market currently lacks.

The AI Controls Matrix (AICM) v1.1, CSA’s current superset framework encompassing the Cloud Controls Matrix, provides a Supply Chain Management, Transparency, & Accountability control domain built around exactly the categories of diligence this case shows are missing: verification of a vendor’s legal and operational legitimacy, evaluation of subcontractor and downstream-client risk, and evidence-backed rather than self-attested assurance claims [9]. While AICM’s control language is written primarily for AI and cloud service providers, security and procurement teams evaluating an exploit broker or offensive-security vendor can use its third-party risk domain as a starting checklist — adapted for this market’s unusual secrecy constraints — until a purpose-built assurance framework for this specific vendor category exists.

References

[1] Krebs, Brian. “Felons, Fraudsters Flog Offensive Cybersecurity Startup.” Krebs on Security, July 2026.

[2] Washingtonian. “Jacob Wohl and Jack Burkman Are Back, There’s Trouble With Trump’s Qatari Plane, and JD Vance Is Looking at Property in Virginia’s Hunt Country.” Washingtonian, July 2026.

[3] Wikipedia. “Market for Zero-Day Exploits.” Wikipedia, accessed July 2026.

[4] Vice. “Startup Offers $3 Million to Anyone Who Can Hack the iPhone.” Vice, 2019.

[5] Threatpost. “VUPEN Launches New Zero-Day Acquisition Firm Zerodium.” Threatpost, 2015.

[6] Wikipedia. “Vulnerabilities Equities Process.” Wikipedia, accessed July 2026.

[7] Lawfare. “Regulating Commercial Spyware Through Export Controls.” Lawfare, 2024.

[8] Cloud Security Alliance and National Technology Security Coalition. “Streamlining Vendor IT Security and Risk Assessments.” Cloud Security Alliance, 2018.

[9] Cloud Security Alliance. “AI Controls Matrix (AICM) v1.1.” Cloud Security Alliance, 2025.

← Back to Research Index