Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Bug Bounty Awards Climb as Software Security Improves

Top reward for iOS remote exploit hits $2 million, as companies who sell exploits to national governments have to offer more money to attract researchers to tackle increasingly secure software.

Exploit techniques for some zero-day software vulnerabilities just got even more lucrative for security researchers willing to sell them as cybersecurity intelligence firm Zerodium this week raised its payout for exploits - in some cases, doubling the awards.

Zerodium doubled the bounty it pays for unknown exploits targeting popular operating systems and software programs. It now pays up to $2 million for a flaw that could exploit Apple's iOS mobile operating system without any victim interaction, for example. Vulnerabilities in messaging applications, such as WhatsApp and iMessage, could earn up to $1 million, the company said.

"There is a significant increase in demands for remote exploits targeting messaging apps such as WhatsApp from our government customers as these apps are sometimes the only communication channel used by targets and end-to-end encryption makes it very difficult for governments to intercept these messages," Chaouki Bekrar, CEO at Zerodium, said in an e-mail interview. "Having the ability to remotely and directly compromise these apps without compromising the whole target phone is much more effective and we're increasing our prices to reflect this strategic need."

The increasing bounties that governments and companies are willing to pay for vulnerabilities highlights the greater difficulties that researchers have finding flaws in the most popular operating systems and products. Last year, both Google and Microsoft raised the amounts that they pay for specific classes of vulnerabilities. An exploitable flaw in Android will currently fetch up to $200,000 from Google.

Governments are likely paying for iPhone exploits because they are increasingly running into locked phones that they need to access. Similarly, using vulnerabilities in messaging programs allows government to intercept and monitor private messages. 

"At this price, they certainly aren’t being used to generate patches and IPS (intrusion prevention system) signatures," said Brian Gorenc, the director of vulnerability research at Trend Micro and leader of the firm's Zero Day Initiative program. "Governments, corporations, and other agencies with large financial resources can and do acquire these exploits to use for their own benefit."

Supply Side

Yet, other experts argue that the increase in price is driven more by a lack of supply—too few usable exploits in the public domain—and less about the demand countries have to exploit specific products. The high prices of exploitable iOS vulnerabilities are because there are so few exploits for the mobile operating system, says Dmitri Alperovich, co-founder and chief technology officer of CrowdStrike, a cybersecurity services firm.

"Finding these issues is no longer in the realm in an amateur first-year computer-science student takling a couple of hours and finding an exploit, like we saw 20 years ago," he said. "Now it requires a very dedicated person. It is a permanent and full-time job, not a hobby you can do on the side."

The high prices garnered for the sale of weaponized vulnerabilities to government agencies and large companies is a sore point for many in the defensive side of the industry. Trend Micro's Zero Day Initiative, for example, buys vulnerability information from researchers and then works with third-party software firms to confirm and close the security holes. 

"Researchers who sell exploits on the gray market need to understand their work can be used by others for any reason at all—even regimes who haven’t been labeled as 'repressive' actively try to acquire these types of exploits, and rarely do they report the bug to the vendor for remediation," says ZDI's Gorenc.

Most researchers continue to sell to the defensive bug bounty programs, said Marten Mickos, CEO of HackerOne, a firm that helps companies run bug bounty programs. He puts the premium payments in black-and-white terms, couching the money as a downpayment on researcher's ethics.

"This effectively becomes the ratio of goodness in the world," he says. "If you are a 'bad' player, you haver to offer 20 times more to attract the attention of researchers."

For that reason, the bug bounty programs are not worried about the competion of the high-paying exploitation firms, says Trend Micro's Gorenc.

"We do believe we can compete with gray market vendors because we provide a different experience," he said, highlighting the researchers submitting vulnerabilities to ZDI can discuss the issue at conference and get credit for the discovery. "White market bounty programs might not pay as much as gray or black market programs, but by providing other benefits, we continue to have success as evidenced by having our biggest year ever with over 1,400 advisories published."

Yet, Zerodium is finding that plenty of researchers continue to submit exploitable bugs to its program.

"The truth is that exploitation is harder, it takes longer, but more researchers are looking into these targets," says Zerodium's Bekrar. The company will continue to increase its prices to keep "the momentum and encourage researchers to keep hunting for exploits," he said.

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13991
PUBLISHED: 2020-09-24
vm/opcodes.c in JerryScript 2.2.0 allows attackers to hijack the flow of control by controlling a register.
CVE-2020-15160
PUBLISHED: 2020-09-24
PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in 1.7.6.8
CVE-2020-15162
PUBLISHED: 2020-09-24
In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8.
CVE-2020-15843
PUBLISHED: 2020-09-24
ActFax Version 7.10 Build 0335 (2020-05-25) is susceptible to a privilege escalation vulnerability due to insecure folder permissions on %PROGRAMFILES%\ActiveFax\Client\, %PROGRAMFILES%\ActiveFax\Install\ and %PROGRAMFILES%\ActiveFax\Terminal\. The folder permissions allow "Full Control" t...
CVE-2020-17365
PUBLISHED: 2020-09-24
Improper directory permissions in the Hotspot Shield VPN client software for Windows 10.3.0 and earlier may allow an authorized user to potentially enable escalation of privilege via local access. The vulnerability allows a local user to corrupt system files: a local user can create a specially craf...