Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Bug Bounties Spike as Software Firms, Researchers Compete for Flaws

    By
    ROBERT LEMOS
    -
    August 21, 2016
    Share
    Facebook
    Twitter
    Linkedin
      Bug Bounty Spike 2

      At the Black Hat 2016 security conference in early August, Apple offered select researchers up to $200,000, to find previously unknown ways to compromise the company’s iOS operating system or iCloud service.

      Less than a week later, third-party security firm Exodus Intelligence upped the ante, offering $500,000 for remote exploitation on iOS—10 times more than Apple offered for the same level of compromise.

      The competing offers for information on exploitable vulnerabilities highlight the evolving battle between software vendors, who increasingly want to bolster the security of their products by tapping researchers, and third-party firms who seek to make money from exclusive vulnerability information.

      As software companies become more at ease with paying researchers for vulnerabilities and third parties see more opportunity in buying exploits, the market for security researchers’ efforts has grown, Brian Gorenc, senior vulnerability researcher for Trend Micro’s Zero Day Initiative, told eWEEK. ZDI’s program, for example, has grown steadily this year, receiving the most submissions by researchers to date, he said.

      “Right now, it is a really good time to be a vulnerability researcher,” Gorenc said.

      The environment is a marked departure from even four years ago, when executives at companies such as Microsoft and Apple refused to pay security researchers who found vulnerabilities, and relied instead on altruism and the desire to promote a personal brand to convince researchers to disclose vulnerabilities for free.

      “I think bug bounty programs are awesome and they have come a long way from where they were initially,” Adriel Desautels, managing partner and CEO at penetration firm Netragard, told eWEEK. “When they started, the bounties were almost insults. They were $500 and $3,000. Now, they are much more competitive with what other agencies and brokers are willing to pay.”

      Yet the acquisition of exploitable vulnerabilities by third parties has resulted in significant damage to software firms’ customers. When Apple refused earlier this year to help the FBI circumvent the security of the iPhone, an Israeli company reportedly sold the agency the equivalent of a skeleton key to iOS, giving the federal government the ability to decrypt a backlog of digital evidence.

      Following the incident, and perhaps driven by it, Apple announced its first bug bounty at the Black Hat Security Briefings on Aug. 4. With a $200,000 headline-generating bug bounty, Apple’s program appears to be a strong statement that the company is jumping into the paid research market with both proverbial feet. However, the top payout is only for a very small—and at the same time, very hard to exploit—piece of the iOS software, the secure boot firmware. The more general remote execution vulnerabilities, the focus of most attackers, will bring a much smaller sum of $50,000.

      Yet the program is a good start, Rich Mogull, principal analyst and CEO at security consultancy Securosis, said in a blog post.

      “Apple didn’t need a program, but can certainly benefit from one,” he said. “This won’t motivate the masses or those with ulterior motives, but it will reward researchers interested in putting in the extremely difficult work to discover” some of the most dangerous classes of exploitable vulnerabilities.

      Bug Bounties Spike as Software Firms, Researchers Compete for Flaws

      Apple was one of three major remaining software companies that had a policy against cash bug bounties. Adobe, whose Flash and Acrobat software are popular targets of attackers, announced a program a year ago, but with no cash incentive. Oracle, the owner of the Java software framework, has criticized such programs as well as any effort to find bugs in its software.

      Java and Flash have both been frequent targets of attackers’ efforts—a focus that’s sure to continue in the future, ZDI’s Gorenc said.

      “We are seeing a shift from Microsoft vulnerabilities to Adobe vulnerabilities, and I think you see that from the shift in the attack landscape,” he said.

      With its announcement, Apple joins the company of Microsoft, which had launched its own bug bounty program in June 2013 and has awarded more than $500,000 in bounties. Google started its program in 2010 and has paid out more than $6 million.

      Yet software companies continue to fall far short of the prizes offered by third-party firms. Software companies offer, on average, thousands of dollars per vulnerability. Google, for example, paid an average bounty of $2,700 in 2015.

      Third-party brokers and exploit-development firms are paying at least an order of magnitude more. Exploit-tools developer Vupen, now operating under the name Zerodium, offered three $1 million bounties for iOS exploits last year, and eventually reported that a single team claimed one of the prizes. The company regularly offers $50,000 to $80,000 for browser exploits, $100,000 for Android and Windows Phone exploits and $500,000 for Apple iOS compromises.

      Trend Micro’s ZDI, which pays for vulnerability information and then submits it to software developers, gave away $460,000 at the CanSecWest conference in March, including prizes for the first exploit of Microsoft’s latest browser, Edge.

      In the end, software companies will have to become accustomed to rewarding security researchers and hackers who report vulnerabilities in their software. While five years ago software companies could refuse to pay for vulnerability information, these days, any firm without a bug bounty program could be seen as not doing its job, Desautels said.

      “Software companies did not seem to care much about vulnerabilities, unless it somehow affected their bottom line,” he said. “All the recent news about people buying the vulnerabilities and software vendors not participating made it look like software vendors were not doing their job, and they were not.”

      In the past, Netragard had acted as a broker of vulnerability information, facilitating high-value vulnerability sales. The company stopped the practice following revelations that Hacking Team, to whom Netragard has sold exploit techniques, had resold the attacks to questionable countries.

      Yet, for the most part, sales will continue, and because attack information has such a short shelf life—as the National Security Agency can testify following the leak of some of its tools— demand will continue unabated. With vulnerabilities becoming harder to find, and software companies competing for information on flaws in their code, the price of exploits will only continue to rise.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×