Bug Bounties Spike as Software Firms, Researchers Compete for Flaws
Apple was one of three major remaining software companies that had a policy against cash bug bounties. Adobe, whose Flash and Acrobat software are popular targets of attackers, announced a program a year ago, but with no cash incentive. Oracle, the owner of the Java software framework, has criticized such programs as well as any effort to find bugs in its software. Java and Flash have both been frequent targets of attackers' efforts—a focus that's sure to continue in the future, ZDI's Gorenc said. "We are seeing a shift from Microsoft vulnerabilities to Adobe vulnerabilities, and I think you see that from the shift in the attack landscape," he said. With its announcement, Apple joins the company of Microsoft, which had launched its own bug bounty program in June 2013 and has awarded more than $500,000 in bounties. Google started its program in 2010 and has paid out more than $6 million.Third-party brokers and exploit-development firms are paying at least an order of magnitude more. Exploit-tools developer Vupen, now operating under the name Zerodium, offered three $1 million bounties for iOS exploits last year, and eventually reported that a single team claimed one of the prizes. The company regularly offers $50,000 to $80,000 for browser exploits, $100,000 for Android and Windows Phone exploits and $500,000 for Apple iOS compromises. Trend Micro's ZDI, which pays for vulnerability information and then submits it to software developers, gave away $460,000 at the CanSecWest conference in March, including prizes for the first exploit of Microsoft's latest browser, Edge. In the end, software companies will have to become accustomed to rewarding security researchers and hackers who report vulnerabilities in their software. While five years ago software companies could refuse to pay for vulnerability information, these days, any firm without a bug bounty program could be seen as not doing its job, Desautels said. "Software companies did not seem to care much about vulnerabilities, unless it somehow affected their bottom line," he said. "All the recent news about people buying the vulnerabilities and software vendors not participating made it look like software vendors were not doing their job, and they were not." In the past, Netragard had acted as a broker of vulnerability information, facilitating high-value vulnerability sales. The company stopped the practice following revelations that Hacking Team, to whom Netragard has sold exploit techniques, had resold the attacks to questionable countries. Yet, for the most part, sales will continue, and because attack information has such a short shelf life—as the National Security Agency can testify following the leak of some of its tools— demand will continue unabated. With vulnerabilities becoming harder to find, and software companies competing for information on flaws in their code, the price of exploits will only continue to rise.
Yet software companies continue to fall far short of the prizes offered by third-party firms. Software companies offer, on average, thousands of dollars per vulnerability. Google, for example, paid an average bounty of $2,700 in 2015.