At the Black Hat 2016 security conference in early August, Apple offered select researchers up to $200,000, to find previously unknown ways to compromise the company’s iOS operating system or iCloud service.
Less than a week later, third-party security firm Exodus Intelligence upped the ante, offering $500,000 for remote exploitation on iOS—10 times more than Apple offered for the same level of compromise.
The competing offers for information on exploitable vulnerabilities highlight the evolving battle between software vendors, who increasingly want to bolster the security of their products by tapping researchers, and third-party firms who seek to make money from exclusive vulnerability information.
As software companies become more at ease with paying researchers for vulnerabilities and third parties see more opportunity in buying exploits, the market for security researchers’ efforts has grown, Brian Gorenc, senior vulnerability researcher for Trend Micro’s Zero Day Initiative, told eWEEK. ZDI’s program, for example, has grown steadily this year, receiving the most submissions by researchers to date, he said.
“Right now, it is a really good time to be a vulnerability researcher,” Gorenc said.
The environment is a marked departure from even four years ago, when executives at companies such as Microsoft and Apple refused to pay security researchers who found vulnerabilities, and relied instead on altruism and the desire to promote a personal brand to convince researchers to disclose vulnerabilities for free.
“I think bug bounty programs are awesome and they have come a long way from where they were initially,” Adriel Desautels, managing partner and CEO at penetration firm Netragard, told eWEEK. “When they started, the bounties were almost insults. They were $500 and $3,000. Now, they are much more competitive with what other agencies and brokers are willing to pay.”
Yet the acquisition of exploitable vulnerabilities by third parties has resulted in significant damage to software firms’ customers. When Apple refused earlier this year to help the FBI circumvent the security of the iPhone, an Israeli company reportedly sold the agency the equivalent of a skeleton key to iOS, giving the federal government the ability to decrypt a backlog of digital evidence.
Following the incident, and perhaps driven by it, Apple announced its first bug bounty at the Black Hat Security Briefings on Aug. 4. With a $200,000 headline-generating bug bounty, Apple’s program appears to be a strong statement that the company is jumping into the paid research market with both proverbial feet. However, the top payout is only for a very small—and at the same time, very hard to exploit—piece of the iOS software, the secure boot firmware. The more general remote execution vulnerabilities, the focus of most attackers, will bring a much smaller sum of $50,000.
Yet the program is a good start, Rich Mogull, principal analyst and CEO at security consultancy Securosis, said in a blog post.
“Apple didn’t need a program, but can certainly benefit from one,” he said. “This won’t motivate the masses or those with ulterior motives, but it will reward researchers interested in putting in the extremely difficult work to discover” some of the most dangerous classes of exploitable vulnerabilities.
Bug Bounties Spike as Software Firms, Researchers Compete for Flaws
Apple was one of three major remaining software companies that had a policy against cash bug bounties. Adobe, whose Flash and Acrobat software are popular targets of attackers, announced a program a year ago, but with no cash incentive. Oracle, the owner of the Java software framework, has criticized such programs as well as any effort to find bugs in its software.
Java and Flash have both been frequent targets of attackers’ efforts—a focus that’s sure to continue in the future, ZDI’s Gorenc said.
“We are seeing a shift from Microsoft vulnerabilities to Adobe vulnerabilities, and I think you see that from the shift in the attack landscape,” he said.
With its announcement, Apple joins the company of Microsoft, which had launched its own bug bounty program in June 2013 and has awarded more than $500,000 in bounties. Google started its program in 2010 and has paid out more than $6 million.
Yet software companies continue to fall far short of the prizes offered by third-party firms. Software companies offer, on average, thousands of dollars per vulnerability. Google, for example, paid an average bounty of $2,700 in 2015.
Third-party brokers and exploit-development firms are paying at least an order of magnitude more. Exploit-tools developer Vupen, now operating under the name Zerodium, offered three $1 million bounties for iOS exploits last year, and eventually reported that a single team claimed one of the prizes. The company regularly offers $50,000 to $80,000 for browser exploits, $100,000 for Android and Windows Phone exploits and $500,000 for Apple iOS compromises.
Trend Micro’s ZDI, which pays for vulnerability information and then submits it to software developers, gave away $460,000 at the CanSecWest conference in March, including prizes for the first exploit of Microsoft’s latest browser, Edge.
In the end, software companies will have to become accustomed to rewarding security researchers and hackers who report vulnerabilities in their software. While five years ago software companies could refuse to pay for vulnerability information, these days, any firm without a bug bounty program could be seen as not doing its job, Desautels said.
“Software companies did not seem to care much about vulnerabilities, unless it somehow affected their bottom line,” he said. “All the recent news about people buying the vulnerabilities and software vendors not participating made it look like software vendors were not doing their job, and they were not.”
In the past, Netragard had acted as a broker of vulnerability information, facilitating high-value vulnerability sales. The company stopped the practice following revelations that Hacking Team, to whom Netragard has sold exploit techniques, had resold the attacks to questionable countries.
Yet, for the most part, sales will continue, and because attack information has such a short shelf life—as the National Security Agency can testify following the leak of some of its tools— demand will continue unabated. With vulnerabilities becoming harder to find, and software companies competing for information on flaws in their code, the price of exploits will only continue to rise.