On Nov. 1, Zerodium announced that it had agreed to pay $1 million for code that exploited a collection of bugs in Apple’s iOS to fully compromise a device running the mobile operating system.
With typical bug bounty awards ranging from thousands to tens of thousands of dollars—and only a smattering of past deals paying more than $100,000 for vulnerabilities and exploits—the $1 million reward seemed to be an order of magnitude jump in the price paid for code that provides the ability to attack a software platform.
Yet, security experts have stressed that such a price tag is not unheard of in the world of gray-market deals for exploits, and that the need for governments to be able to compromise targeted devices is likely behind the massive payout.
“You are going to pay the money, because you need the exploit right now,” said Adriel Desautels, CEO of Netragard, and a former exploit broker. “So the price is driven by need, the scarcity, and the timing—how soon they need it.”
Zerodium, spun off from offensive security firm Vupen, is a startup that focuses on creating bounties—not to fix bugs—but to sell exploit code for previously unreported vulnerabilities to third parties.
While Zerodium did not respond to requests for comment, security experts interviewed for this article did not doubt the bounty offer. While no hard evidence exists that Zerodium actually paid $1 million, the amount is not unreasonable for certain types of buyers. Several vulnerability experts pointed to the greater difficulty in finding and exploiting security issues as a major reason that bounties will climb higher.
“The security improvements that we’ve seen in products over the years have made it harder to find vulnerabilities,” said Christopher Budd, global threat communications manager at Trend Micro, which purchased the Zero-Day Initiative, a software flaw research group, from Hewlett-Packard. “That affects supply and demand and also increases what the researchers are demanding.”
The fact that vulnerabilities are being found and patched in the most popular software programs has led to a general increase in value of vulnerabilities, Logan Brown, president of vulnerability-information provider Exodus Intelligence, told eWEEK in an e-mail. In 2012, for example, Google raised its rewards for bugs in its Chrome Web browser, citing the increasing difficulty in finding security issues.
“Ultimately as software becomes more robust and developers understand security more and more, it becomes necessary to use multiple vulnerabilities and techniques to achieve reliable control,” Brown said. “This takes an enhanced skill-set and a lot more time, thus raising the value of these capabilities.”
Others disagreed. While on its face, the $1 million payout suggests that bounties are rising, the high value assigned to the iOS vulnerability is more about demand, rather than supply, Desautels said. The buyer likely needs to compromise iOS devices and is willing to pay.
“There is no inflation,” he says. “This market has existed for a while, and the prices have really never changed. You’ve seen higher prices for higher priority items.”
Who would pay $1 million for the code capable of exploiting unreported flaws in a hard-to-crack mobile operating system? It turns out that the list of buyers is pretty short.
A variety of security companies might pay researchers for information on vulnerabilities, so that they can add protection measures to their defensive security applications and services.
Demand for Zero-Day Flaws Drives Bug Bounties to Exceed $1 Million
While no single company would likely pay $1 million, a service supporting dozens of security companies might pay a significant sum for a few high-profile vulnerabilities, Brown said.
“The interest in these types of capabilities is largely driven by defensive companies looking for protections against the rare, but high-profile capabilities,” he said. “In this case, the private buyer Zerodium can afford the bounty due to a pool of clients interested in paying for the intelligence. Each client would pay less than the bounty, but with a number of them this could be a profitable investment.”
Yet the most likely explanation of the size of bounty is that one or more intelligence agencies need a way to compromise targeted phones and are willing to pay, according to other security experts.
While the original announcement by Zerodium used the term “jailbreak,” (a term used by those looking to remove carrier limitations on their mobile phone)selling to that market does not make sense, according to a September post by Robert Graham, CEO of Errata Security.
Instead, a government is the most likely suspect, he stated.
“Every time Apple comes out with a new version—like iOS 9, they fix old [flaws], requiring intelligence organizations to scramble to come up with new ones,” Graham stated. “Since 50 percent of iPhone users have updated to iOS9 [in just over a three day period], intelligence organizations are ‘going dark’ quickly—unless they can get a new zero day.”
The issue of “going dark” highlights a real danger for anyone paying for a vulnerability. At any time, the developer of the vulnerable software could find and fix a particular flaw, leaving a bug buyer with little information of value.
Apple, for example, could have paid the $1 million bounty for the iOS exploit, removing the danger before others could use it. However, only Microsoft, Facebook and Google have paid significant sums of money for information on vulnerabilities in their products, and none have paid more than $120,000 for a single vulnerability.
The announcement caused a stir in the security world. Some critics wanted the company to help patch the flaws. Others pointed to the lack of evidence of either exploits or a payout, and called the announcement a public relations stunt. And still others worried that the attack would enable governments to more easily spy on their citizens.
Yet, the trend toward rising payouts will not likely change no matter the potential buyers. With information technology inserting itself into every aspect of people’s daily lives, exploiting the software central to those systems is the best way to gain surreptitious access to that technology. Thus both defensive security agency and intelligence agencies looking for new offensive code tools can find significant value in information on previously unreported vulnerabilities.
Defensive IT security companies have to keep up with the Joneses. Any company that does not buy information on the latest flaws may find itself behind its competitors.
A similar issue is driving nations to buy as well, said Netragard’s Desautels.
“Imagine if our government stopped buying zero days,” he said. “Iran would not stop. North Korea would not stop. The market is driven largely by countries and governments, and as long as one is buying, others have to buy to keep up.”