Bug Bounties Spike as Software Firms, Researchers Compete for Flaws

Apple offers $200,000 for serious software security flaws. Then an independent broker offers a cool $500,000. Is this a sign of a short-lived bubble or will the value of exploits continue to climb?

Bug Bounty Spike 2

At the Black Hat 2016 security conference in early August, Apple offered select researchers up to $200,000, to find previously unknown ways to compromise the company's iOS operating system or iCloud service.

Less than a week later, third-party security firm Exodus Intelligence upped the ante, offering $500,000 for remote exploitation on iOS—10 times more than Apple offered for the same level of compromise.

The competing offers for information on exploitable vulnerabilities highlight the evolving battle between software vendors, who increasingly want to bolster the security of their products by tapping researchers, and third-party firms who seek to make money from exclusive vulnerability information.

As software companies become more at ease with paying researchers for vulnerabilities and third parties see more opportunity in buying exploits, the market for security researchers' efforts has grown, Brian Gorenc, senior vulnerability researcher for Trend Micro's Zero Day Initiative, told eWEEK. ZDI's program, for example, has grown steadily this year, receiving the most submissions by researchers to date, he said.

"Right now, it is a really good time to be a vulnerability researcher," Gorenc said.

The environment is a marked departure from even four years ago, when executives at companies such as Microsoft and Apple refused to pay security researchers who found vulnerabilities, and relied instead on altruism and the desire to promote a personal brand to convince researchers to disclose vulnerabilities for free.

"I think bug bounty programs are awesome and they have come a long way from where they were initially," Adriel Desautels, managing partner and CEO at penetration firm Netragard, told eWEEK. "When they started, the bounties were almost insults. They were $500 and $3,000. Now, they are much more competitive with what other agencies and brokers are willing to pay."

Yet the acquisition of exploitable vulnerabilities by third parties has resulted in significant damage to software firms' customers. When Apple refused earlier this year to help the FBI circumvent the security of the iPhone, an Israeli company reportedly sold the agency the equivalent of a skeleton key to iOS, giving the federal government the ability to decrypt a backlog of digital evidence.

Following the incident, and perhaps driven by it, Apple announced its first bug bounty at the Black Hat Security Briefings on Aug. 4. With a $200,000 headline-generating bug bounty, Apple's program appears to be a strong statement that the company is jumping into the paid research market with both proverbial feet. However, the top payout is only for a very small—and at the same time, very hard to exploit—piece of the iOS software, the secure boot firmware. The more general remote execution vulnerabilities, the focus of most attackers, will bring a much smaller sum of $50,000.

Yet the program is a good start, Rich Mogull, principal analyst and CEO at security consultancy Securosis, said in a blog post.

"Apple didn’t need a program, but can certainly benefit from one," he said. "This won’t motivate the masses or those with ulterior motives, but it will reward researchers interested in putting in the extremely difficult work to discover" some of the most dangerous classes of exploitable vulnerabilities.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...