Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Demand for Zero-Day Flaws Drives Bug Bounties to Exceed $1 Million

    By
    Robert Lemos
    -
    November 12, 2015
    Share
    Facebook
    Twitter
    Linkedin
      Rising Bug Bounties 2

      On Nov. 1, Zerodium announced that it had agreed to pay $1 million for code that exploited a collection of bugs in Apple’s iOS to fully compromise a device running the mobile operating system.

      With typical bug bounty awards ranging from thousands to tens of thousands of dollars—and only a smattering of past deals paying more than $100,000 for vulnerabilities and exploits—the $1 million reward seemed to be an order of magnitude jump in the price paid for code that provides the ability to attack a software platform.

      Yet, security experts have stressed that such a price tag is not unheard of in the world of gray-market deals for exploits, and that the need for governments to be able to compromise targeted devices is likely behind the massive payout.

      “You are going to pay the money, because you need the exploit right now,” said Adriel Desautels, CEO of Netragard, and a former exploit broker. “So the price is driven by need, the scarcity, and the timing—how soon they need it.”

      Zerodium, spun off from offensive security firm Vupen, is a startup that focuses on creating bounties—not to fix bugs—but to sell exploit code for previously unreported vulnerabilities to third parties.

      While Zerodium did not respond to requests for comment, security experts interviewed for this article did not doubt the bounty offer. While no hard evidence exists that Zerodium actually paid $1 million, the amount is not unreasonable for certain types of buyers. Several vulnerability experts pointed to the greater difficulty in finding and exploiting security issues as a major reason that bounties will climb higher.

      “The security improvements that we’ve seen in products over the years have made it harder to find vulnerabilities,” said Christopher Budd, global threat communications manager at Trend Micro, which purchased the Zero-Day Initiative, a software flaw research group, from Hewlett-Packard. “That affects supply and demand and also increases what the researchers are demanding.”

      The fact that vulnerabilities are being found and patched in the most popular software programs has led to a general increase in value of vulnerabilities, Logan Brown, president of vulnerability-information provider Exodus Intelligence, told eWEEK in an e-mail. In 2012, for example, Google raised its rewards for bugs in its Chrome Web browser, citing the increasing difficulty in finding security issues.

      “Ultimately as software becomes more robust and developers understand security more and more, it becomes necessary to use multiple vulnerabilities and techniques to achieve reliable control,” Brown said. “This takes an enhanced skill-set and a lot more time, thus raising the value of these capabilities.”

      Others disagreed. While on its face, the $1 million payout suggests that bounties are rising, the high value assigned to the iOS vulnerability is more about demand, rather than supply, Desautels said. The buyer likely needs to compromise iOS devices and is willing to pay.

      “There is no inflation,” he says. “This market has existed for a while, and the prices have really never changed. You’ve seen higher prices for higher priority items.”

      Who would pay $1 million for the code capable of exploiting unreported flaws in a hard-to-crack mobile operating system? It turns out that the list of buyers is pretty short.

      A variety of security companies might pay researchers for information on vulnerabilities, so that they can add protection measures to their defensive security applications and services.

      Demand for Zero-Day Flaws Drives Bug Bounties to Exceed $1 Million

      While no single company would likely pay $1 million, a service supporting dozens of security companies might pay a significant sum for a few high-profile vulnerabilities, Brown said.

      “The interest in these types of capabilities is largely driven by defensive companies looking for protections against the rare, but high-profile capabilities,” he said. “In this case, the private buyer Zerodium can afford the bounty due to a pool of clients interested in paying for the intelligence. Each client would pay less than the bounty, but with a number of them this could be a profitable investment.”

      Yet the most likely explanation of the size of bounty is that one or more intelligence agencies need a way to compromise targeted phones and are willing to pay, according to other security experts.

      While the original announcement by Zerodium used the term “jailbreak,” (a term used by those looking to remove carrier limitations on their mobile phone)selling to that market does not make sense, according to a September post by Robert Graham, CEO of Errata Security.

      Instead, a government is the most likely suspect, he stated.

      “Every time Apple comes out with a new version—like iOS 9, they fix old [flaws], requiring intelligence organizations to scramble to come up with new ones,” Graham stated. “Since 50 percent of iPhone users have updated to iOS9 [in just over a three day period], intelligence organizations are ‘going dark’ quickly—unless they can get a new zero day.”

      The issue of “going dark” highlights a real danger for anyone paying for a vulnerability. At any time, the developer of the vulnerable software could find and fix a particular flaw, leaving a bug buyer with little information of value.

      Apple, for example, could have paid the $1 million bounty for the iOS exploit, removing the danger before others could use it. However, only Microsoft, Facebook and Google have paid significant sums of money for information on vulnerabilities in their products, and none have paid more than $120,000 for a single vulnerability.

      The announcement caused a stir in the security world. Some critics wanted the company to help patch the flaws. Others pointed to the lack of evidence of either exploits or a payout, and called the announcement a public relations stunt. And still others worried that the attack would enable governments to more easily spy on their citizens.

      Yet, the trend toward rising payouts will not likely change no matter the potential buyers. With information technology inserting itself into every aspect of people’s daily lives, exploiting the software central to those systems is the best way to gain surreptitious access to that technology. Thus both defensive security agency and intelligence agencies looking for new offensive code tools can find significant value in information on previously unreported vulnerabilities.

      Defensive IT security companies have to keep up with the Joneses. Any company that does not buy information on the latest flaws may find itself behind its competitors.

      A similar issue is driving nations to buy as well, said Netragard’s Desautels.

      “Imagine if our government stopped buying zero days,” he said. “Iran would not stop. North Korea would not stop. The market is driven largely by countries and governments, and as long as one is buying, others have to buy to keep up.”

      Robert Lemos
      Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's written for Ars Technica, CNET, eWEEK, MIT Technology Review, Threatpost and ZDNet. He won the prestigious Sigma Delta Chi award from the Society of Professional Journalists in 2003 for his coverage of the Blaster worm and its impact, and the SANS Institute's Top Cybersecurity Journalists in 2010 and 2014.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×