The going rate for a good security bug can help an undergrad pay for tuition or a cash-strapped researcher put a down payment on a car. And that's just if he or she sells it to a legitimate security software firm, which pays anywhere from $2,000 to $10,000 a bug.
The black market can be even more lucrative. A bad guy hacker can get $20,000 to $30,000 for a "weaponized" exploit, says David Maynor, senior researcher for SecureWorks. (See Getting Buggy with the MOBB.) "This is something that is pretty much fire-and-forget and wouldn't require much technical expertise to run," Maynor says.
What the two markets have in common is potential impact: The more targets a bug can hit if it's converted into an exploit and let loose in the wild, the more it pays.
Among the security firms who do business with bug writers are 3Com/TippingPoint's Zero Day Initiative, iDefense, and Digital Armaments. "They typically pay between $2,000 and $10,000 for these so they are able to better protect their clients from these exploits and work with vendors to help them develop protections," Maynor says.
It's a controversial practice. IDefense has been criticized for reselling bugs it buys, as well as for its promotions. It recently held a contest that paid $10,000 for remote Windows vulnerabilities, for example.
3Com's year-old Zero Day Initiative has about 400 registered researchers from whom the firm has purchased over 100 bugs, according to Terri Forslof, security response manager for 3Com's Zero Day Initiative program. And the program has yielded results, she says. "We've released 25 public advisories and have a slew in the queue waiting for the vendors to correct them," says Forslof, who wouldn't disclose what 3Com pays the bug-writers.
No one knows for sure just how much you can make on the black market, but tens of thousands of dollars for a browser bug isn't unheard of. The infamous Windows MetaFile vulnerability used in malware last year was reportedly purchased by bad guys for $4,000.
"There are small communities of researchers doing this and managing to sell to crime syndicates," says one researcher who requested anonymity.
Most vendors who buy the bugs say they are careful about who they deal with. ImmunitySec, which purchases vulnerability bugs for its Canvass tool, tries to work mostly with researchers it knows, says David Aitel, ImmunitySec's CTO. "When we're buying a bug, we typically know the people we're dealing with. We're more likely to buy from 'friends and family'," Aitel says.
There's a lengthy contract negotiation phase involved in a bug buy, too, Aitel says, and ImmunitySec could pay the researcher $2,500 and then spend another $2,500 in legal negotiation fees.
And ImmunitySec doesn't fork out the big bucks like iDefense and others. "We're not going to pay tens of thousands of dollars for the perfect bug," he says. "We get approached all the time. Sometimes we get burnt, sometimes not. If they are dishonest, their price usually goes up" which kills the deal.
But the practice of bugs for money has its ethical dilemma, too. Does offering money for bugs basically create a monster, or does it actually tame potential monsters out there in the wild?
Peter Lindstrom, research director for Spire Security, says he doesn't necessarily buy the altruistic claims of researchers who sell their handiwork to security vendors. "When there's money interests involved, you can no longer claim altruistic motives," he says. "I get tired of folks saying this will reduce risk. Clearly, all this stuff demonstrated in the real world increases our risk -- the typical buffer overflow or cross-site scripting bug isn't going to help anything."
Lindstrom says he's torn, though, on whether having this somewhat formalized process for sharing vulnerabilities is better than nothing. "Offering money creates a market. But [the legitimate buyers] attract these folks into a more open, structured process, which is better" than the unchecked black market, he says, and it creates a nice paper trail, too. But he also worries this more formal market inadvertently boosts a bug's black market potential as well.
Not all researchers sell their bugs, however, and not all security firms will buy them. EEye Digital Security, for instance, hires its own bug hunters and doesn't buy or sell what it finds. "Organizations that do are adding a level of legitimacy to the underground market that has always existed," says Steve Manzuik, research manager for eEye. EEye takes its vulnerability findings to vendors first, such as Microsoft, he says.
There's no way to stop a money-hungry bug writer from starting a bidding war between the good guys and bad guys, either. "Whoever pays more gets the goods. It is naive to assume that the good guys will always, or even often, outbid the criminally intended bidders," says Ivan Arce, CTO of Core Security, which finds vulnerabilities in software but doesn't sell them.
Bug creators, meanwhile, sometimes score "real job" opportunities when they peddle their vulnerability code with security firms. Aitel says the bulk of ImmunitySec's research is done in-house, so if a bug-writer's work is good enough for the company to buy, he or she is probably qualified for hiring and could be considered for a job.
Whether it's more cost-effective to work as a freelance bug writer or get a day job depends. A vulnerability researcher costs about $80,000 to $100,000 per year to a security company, Arce says, and you'd have to generate ten big-time bugs worth about $10,000 apiece to match a legit salary. "You would need to be really good at it and dedicate full time to the task."
Still, there's a healthy market for the freelancers. "Clearly, the model works because the supply of bugs is generated not by professional bug finders, but by amateurs or hobbyists that are either unemployed or perform other duties for their official employer," Arce says.
Kelly Jackson Higgins, Senior Editor, Dark Reading