On the tiny Mediterranean island of Malta, two Italian hackers have been searching for bugs - not the island's many beetle varieties but secret flaws in computer code that governments pay hundreds of thousands of dollars to learn about and exploit.
The hackers, Luigi Auriemma, 32, and Donato Ferrante, 28, sell technical details of such vulnerabilities to different countries. The two will not reveal the clients of their company, ReVuln, but big buyers of services like theirs include the National Security Agency -which seeks the flaws for America's growing arsenal of cyberweapons - and U.S. adversaries like the Iranian Revolutionary Guard.
All over the world, from South Africa to South Korea, business is booming in what hackers call "zero days," the coding flaws in software such as Microsoft's Windows that can give a buyer unfettered access to a computer and any business, agency or individual dependent on one.
Just a few years ago, hackers such as Auriemma and Ferrante would have sold the knowledge of coding flaws to companies such as Microsoft and Apple, which would fix them. Last month, Microsoft sharply increased the amount it was willing to pay for such flaws, raising its top offer to $150,000.
Increasingly, however, the businesses are being outbid by countries with the goal of exploiting the flaws in pursuit of the kind of success, albeit temporary, that the United States and Israel achieved three years ago when they attacked Iran's nuclear enrichment program with a computer worm that became known as "Stuxnet."
The flaws are so named because once discovered, "zero days" exist for the computer system user to fix them before hackers can take advantage of the vulnerability. A "zero-day exploit" occurs when hackers or governments strike by using the flaw before anyone else knows it exists.
"Governments are starting to say, 'In order to best protect my country, I need to find vulnerabilities in other countries,'" said Howard Schmidt, the former White House cybersecurity coordinator. "The problem is that we all fundamentally become less secure."
A zero-day bug could be as simple as a hacker's discovering an online account that asks for a password but does not actually require typing one to get in. Bypassing the system by hitting the "enter" key becomes a zero-day exploit.
According to Symantec, the maker of antivirus software, the average attack goes on for almost a year before it is detected. Until then it can be exploited or "weaponized" by criminals and governments to spy on, steal from or attack their target.
Ten years ago, hackers would hand knowledge of such flaws to Microsoft and Google for free, in exchange for a T-shirt or perhaps an honorable mention on a company's website. Now, the market for information about computer vulnerabilities has turned into a gold rush.
Israel, Britain, Russia, India and Brazil are some of the biggest spenders. North Korea is in the market, as are some Middle Eastern intelligence services. Asian Pacific countries are buying, too, according to the Center for Strategic and International Studies in Washington.
To connect sellers and buyers, dozens of well-connected brokers now market information on the flaws in exchange for a 15 percent cut. Some hackers get a deal collecting royalty fees for every month their flaw lies undiscovered, according to several people involved in the market.
Some brokers, such as one in Bangkok who goes by "the Grugq" on Twitter, are well known. But after the Grugq spoke to Forbes last year, his business took a hit from the publicity, according to a person familiar with the impact, primarily because buyers demand confidentiality.
A broker's approach need not be subtle. "Need code execution exploit urgent," read the subject line of an email sent from one contractor's intermediary last year to Billy Rios, a former security engineer at Microsoft and Google who is now a director at Cylance, a security startup.
For startups eager to displace more established military contractors, selling vulnerabilities - and expertise about how to use them - have become a lucrative opportunity. Firms such as Vupen in Montpellier, France; Netragard in Acton, Mass.; Exodus Intelligence in Austin, Texas; and ReVuln, Auriemma and Ferrante's Maltese firm, freely advertise that they sell knowledge of the flaws for cyberespionage and, in some cases, for cyberweapons.
ReVuln specializes in finding remote vulnerabilities in industrial control systems that can be used to access - or disrupt - water treatment facilities, oil and gas pipelines, and power plants.