Demand for Zero-Day Flaws Drives Bug Bounties to Exceed $1 Million

The Zerodium deal shows that market demand will readily support zero-day exploit code bounties of $1 million or more, security experts say.

Rising Bug Bounties 2

On Nov. 1, Zerodium announced that it had agreed to pay $1 million for code that exploited a collection of bugs in Apple's iOS to fully compromise a device running the mobile operating system.

With typical bug bounty awards ranging from thousands to tens of thousands of dollars—and only a smattering of past deals paying more than $100,000 for vulnerabilities and exploits—the $1 million reward seemed to be an order of magnitude jump in the price paid for code that provides the ability to attack a software platform.

Yet, security experts have stressed that such a price tag is not unheard of in the world of gray-market deals for exploits, and that the need for governments to be able to compromise targeted devices is likely behind the massive payout.

"You are going to pay the money, because you need the exploit right now," said Adriel Desautels, CEO of Netragard, and a former exploit broker. "So the price is driven by need, the scarcity, and the timing—how soon they need it."

Zerodium, spun off from offensive security firm Vupen, is a startup that focuses on creating bounties—not to fix bugs—but to sell exploit code for previously unreported vulnerabilities to third parties.

While Zerodium did not respond to requests for comment, security experts interviewed for this article did not doubt the bounty offer. While no hard evidence exists that Zerodium actually paid $1 million, the amount is not unreasonable for certain types of buyers. Several vulnerability experts pointed to the greater difficulty in finding and exploiting security issues as a major reason that bounties will climb higher.

"The security improvements that we’ve seen in products over the years have made it harder to find vulnerabilities," said Christopher Budd, global threat communications manager at Trend Micro, which purchased the Zero-Day Initiative, a software flaw research group, from Hewlett-Packard. "That affects supply and demand and also increases what the researchers are demanding."

The fact that vulnerabilities are being found and patched in the most popular software programs has led to a general increase in value of vulnerabilities, Logan Brown, president of vulnerability-information provider Exodus Intelligence, told eWEEK in an e-mail. In 2012, for example, Google raised its rewards for bugs in its Chrome Web browser, citing the increasing difficulty in finding security issues.

"Ultimately as software becomes more robust and developers understand security more and more, it becomes necessary to use multiple vulnerabilities and techniques to achieve reliable control," Brown said. "This takes an enhanced skill-set and a lot more time, thus raising the value of these capabilities."

Others disagreed. While on its face, the $1 million payout suggests that bounties are rising, the high value assigned to the iOS vulnerability is more about demand, rather than supply, Desautels said. The buyer likely needs to compromise iOS devices and is willing to pay.

"There is no inflation," he says. "This market has existed for a while, and the prices have really never changed. You've seen higher prices for higher priority items."

Who would pay $1 million for the code capable of exploiting unreported flaws in a hard-to-crack mobile operating system? It turns out that the list of buyers is pretty short.

A variety of security companies might pay researchers for information on vulnerabilities, so that they can add protection measures to their defensive security applications and services.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...