Demand for Zero-Day Flaws Drives Bug Bounties to Exceed $1 Million
While no single company would likely pay $1 million, a service supporting dozens of security companies might pay a significant sum for a few high-profile vulnerabilities, Brown said. "The interest in these types of capabilities is largely driven by defensive companies looking for protections against the rare, but high-profile capabilities," he said. "In this case, the private buyer Zerodium can afford the bounty due to a pool of clients interested in paying for the intelligence. Each client would pay less than the bounty, but with a number of them this could be a profitable investment." Yet the most likely explanation of the size of bounty is that one or more intelligence agencies need a way to compromise targeted phones and are willing to pay, according to other security experts. While the original announcement by Zerodium used the term "jailbreak," (a term used by those looking to remove carrier limitations on their mobile phone)selling to that market does not make sense, according to a September post by Robert Graham, CEO of Errata Security."Every time Apple comes out with a new version—like iOS 9, they fix old [flaws], requiring intelligence organizations to scramble to come up with new ones," Graham stated. "Since 50 percent of iPhone users have updated to iOS9 [in just over a three day period], intelligence organizations are 'going dark' quickly—unless they can get a new zero day." The issue of "going dark" highlights a real danger for anyone paying for a vulnerability. At any time, the developer of the vulnerable software could find and fix a particular flaw, leaving a bug buyer with little information of value. Apple, for example, could have paid the $1 million bounty for the iOS exploit, removing the danger before others could use it. However, only Microsoft, Facebook and Google have paid significant sums of money for information on vulnerabilities in their products, and none have paid more than $120,000 for a single vulnerability. The announcement caused a stir in the security world. Some critics wanted the company to help patch the flaws. Others pointed to the lack of evidence of either exploits or a payout, and called the announcement a public relations stunt. And still others worried that the attack would enable governments to more easily spy on their citizens. Yet, the trend toward rising payouts will not likely change no matter the potential buyers. With information technology inserting itself into every aspect of people's daily lives, exploiting the software central to those systems is the best way to gain surreptitious access to that technology. Thus both defensive security agency and intelligence agencies looking for new offensive code tools can find significant value in information on previously unreported vulnerabilities. Defensive IT security companies have to keep up with the Joneses. Any company that does not buy information on the latest flaws may find itself behind its competitors. A similar issue is driving nations to buy as well, said Netragard's Desautels. "Imagine if our government stopped buying zero days," he said. "Iran would not stop. North Korea would not stop. The market is driven largely by countries and governments, and as long as one is buying, others have to buy to keep up."
Instead, a government is the most likely suspect, he stated.