So You Want To Be A Zero Day Exploit Millionaire?On the active market for reporting and selling zero day vulnerabilities, you can make big money. But you'll have to answer difficult ethical questions.
Have you discovered a killer zero-day vulnerability in a widely used product? Can the bug be "weaponized," or actively exploited?
Then you could make thousands of dollars or more by selling it to TippingPoint's Zero Day Initiative (ZDI), the iDefense Vulnerability Contributor Program, or one of 20 other legal and public programs that reward bug hunters. Or make even more money--perhaps 10 times as much--by selling it on the black market, or to a defense contractor. In the case of defense contractors, you'll get paid in stages, dependent on there being no public knowledge of the bug for a preset period of time, thus giving their customers time to put the information to use.
The reason defense contractors and security firms pay big bucks for this information is because their customers--including governments--then know that their adversaries don't have it. Accordingly, they can take precautions to defend themselves against the vulnerability, or potentially even use it themselves for industrial espionage purposes.
With all of the effort that businesses devote to patching and preventing their corporate networks and systems from being exploited, it might seem surprising that there's a thriving trade in zero-day vulnerabilities, predicated on keeping knowledge of these vulnerabilities out of the public domain. And regardless of whether you think it is right or wrong, the practice exists.
Thankfully, the discovery of high-value bugs is apparently the exception, not the rule. "The problem is that a lot of vulnerabilities today aren't worth being sold," says Marc Maiffret, CTO of eEye. For proof, just peruse the ExploitHub market from NSS Labs, which sells exploits--but only for known vulnerabilities. There you'll currently find lots of exploits worth a few hundred dollars, and one or two involving Oracle database vulnerabilities (of which there's seemingly an endless supply) worth about $1,000. These are hardly big-ticket exploits.
For security researchers with knowledge of a bug that's not worth much, or for researchers who question the ethics of selling any bug information, there are alternatives. Last week, for example, vulnerability information service Secunia launched its Secunia Vulnerability Coordination Reward Program, which formalizes what Secunia says it's been doing informally for some time: It acts as a go-between for security researchers that have discovered a vulnerability in a product, and the vendor of that product. "Many researchers have appreciated that we take out all of the tedious communication with the vendor," says Thomas Kristensen CSO of Secunia. (Any interested security researchers can report their vulnerability to email@example.com.)
The "reward" part of the program is that two top researchers per year will get their hotel and conference fees covered for a security conference, while other top-performers will get some free high-end security merchandise. In return, Secunia sees no remuneration, although will sometimes get a mention--"coordinated by Secunia"--in any resulting security bulletins. So far this year, Secunia has coordinated between researchers and vendors on 234 vulnerabilities, involving 118 security advisories.
Furthermore, in cases where there's a cash reward offered for bugs--for example, from Google--Secunia says that money will go straight to the researcher. But Secunia says it won't coordinate between researchers and programs such as ZDI, because they violate Secunia's bug disclosure policy, which specifies that "there's no disclosure of information to anyone"--including Secunia's customers--"until a vendor chooses to patch the vulnerability, or they've been dragging out the coordination for longer than 12 months," says Kristensen. (After 12 months, Secunia releases the information, though Kristensen said few vendors drag their heels for this long.)
Compared with that type of policy, information on zero-day vulnerabilities that's bought and sold on vulnerability markets may stay in private hands much longer. But, do such practices jeopardize security for the many, while safeguarding just the few? "It's a tradeoff, it's a hard thing, because with any vulnerability like that, you're leaving people potentially at risk," says eEye's Maiffret. "Then when you see the power of zero-day vulnerabilities, such as Stuxnet, taking out the nuclear capabilities of Iran, some people would say that that increased risk is probably worth it."
Stuxnet famously included not one, but an unprecedented four zero-day vulnerabilities to ensure that the malware successfully infiltrated its target. By many accounts, it worked. Still, it's not clear whether Stuxnet's authors discovered the zero-day vulnerabilities themselves, procured them from a legal market, or bought them on the black market.
While the buying and selling of zero-day vulnerabilities sounds alarming, however, it turns out that attackers largely don't bother to exploit them, likely because there are already so many known--but unpatched--vulnerabilities to work with. Furthermore, it's rare that bad guys will independently discover a zero-day vulnerability that's known but hasn't been reported, says Maiffret.
Furthermore, as highlighted by Verizon's Data Breach Investigations Report, patching alone isn't enough to keep a business secure, since by Verizon's count, in 381 attacks, only five vulnerabilities were exploited by attackers. (Notably, however, the report failed to count all-too-common SQL injections as vulnerabilities.)
"We're very much in the day and age where you have to act like there are vulnerabilities you don't know about," says Maiffret. "If your main points of defense are antivirus and making sure that systems are patched, then you're just going to fail. There's just too much out there, both in terms of vulnerabilities and malware."
Accordingly, instead of worrying about exploits for undiscovered bugs, businesses should really "understand the importance of good configuration, and good architecture, and how to minimize your company's attack surface," says Maiffret. "A lot of it isn't sexy stuff," he concedes, since it involves best practices for system and network configuration. Nevertheless, it goes quite a long way to mitigating modern exploits.