Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Bug Bounty Awards Climb as Software Security Improves

Top reward for iOS remote exploit hits $2 million, as companies who sell exploits to national governments have to offer more money to attract researchers to tackle increasingly secure software.

Exploit techniques for some zero-day software vulnerabilities just got even more lucrative for security researchers willing to sell them as cybersecurity intelligence firm Zerodium this week raised its payout for exploits - in some cases, doubling the awards.

Zerodium doubled the bounty it pays for unknown exploits targeting popular operating systems and software programs. It now pays up to $2 million for a flaw that could exploit Apple's iOS mobile operating system without any victim interaction, for example. Vulnerabilities in messaging applications, such as WhatsApp and iMessage, could earn up to $1 million, the company said.

"There is a significant increase in demands for remote exploits targeting messaging apps such as WhatsApp from our government customers as these apps are sometimes the only communication channel used by targets and end-to-end encryption makes it very difficult for governments to intercept these messages," Chaouki Bekrar, CEO at Zerodium, said in an e-mail interview. "Having the ability to remotely and directly compromise these apps without compromising the whole target phone is much more effective and we're increasing our prices to reflect this strategic need."

The increasing bounties that governments and companies are willing to pay for vulnerabilities highlights the greater difficulties that researchers have finding flaws in the most popular operating systems and products. Last year, both Google and Microsoft raised the amounts that they pay for specific classes of vulnerabilities. An exploitable flaw in Android will currently fetch up to $200,000 from Google.

Governments are likely paying for iPhone exploits because they are increasingly running into locked phones that they need to access. Similarly, using vulnerabilities in messaging programs allows government to intercept and monitor private messages. 

"At this price, they certainly aren’t being used to generate patches and IPS (intrusion prevention system) signatures," said Brian Gorenc, the director of vulnerability research at Trend Micro and leader of the firm's Zero Day Initiative program. "Governments, corporations, and other agencies with large financial resources can and do acquire these exploits to use for their own benefit."

Supply Side

Yet, other experts argue that the increase in price is driven more by a lack of supply—too few usable exploits in the public domain—and less about the demand countries have to exploit specific products. The high prices of exploitable iOS vulnerabilities are because there are so few exploits for the mobile operating system, says Dmitri Alperovich, co-founder and chief technology officer of CrowdStrike, a cybersecurity services firm.

"Finding these issues is no longer in the realm in an amateur first-year computer-science student takling a couple of hours and finding an exploit, like we saw 20 years ago," he said. "Now it requires a very dedicated person. It is a permanent and full-time job, not a hobby you can do on the side."

The high prices garnered for the sale of weaponized vulnerabilities to government agencies and large companies is a sore point for many in the defensive side of the industry. Trend Micro's Zero Day Initiative, for example, buys vulnerability information from researchers and then works with third-party software firms to confirm and close the security holes. 

"Researchers who sell exploits on the gray market need to understand their work can be used by others for any reason at all—even regimes who haven’t been labeled as 'repressive' actively try to acquire these types of exploits, and rarely do they report the bug to the vendor for remediation," says ZDI's Gorenc.

Most researchers continue to sell to the defensive bug bounty programs, said Marten Mickos, CEO of HackerOne, a firm that helps companies run bug bounty programs. He puts the premium payments in black-and-white terms, couching the money as a downpayment on researcher's ethics.

"This effectively becomes the ratio of goodness in the world," he says. "If you are a 'bad' player, you haver to offer 20 times more to attract the attention of researchers."

For that reason, the bug bounty programs are not worried about the competion of the high-paying exploitation firms, says Trend Micro's Gorenc.

"We do believe we can compete with gray market vendors because we provide a different experience," he said, highlighting the researchers submitting vulnerabilities to ZDI can discuss the issue at conference and get credit for the discovery. "White market bounty programs might not pay as much as gray or black market programs, but by providing other benefits, we continue to have success as evidenced by having our biggest year ever with over 1,400 advisories published."

Yet, Zerodium is finding that plenty of researchers continue to submit exploitable bugs to its program.

"The truth is that exploitation is harder, it takes longer, but more researchers are looking into these targets," says Zerodium's Bekrar. The company will continue to increase its prices to keep "the momentum and encourage researchers to keep hunting for exploits," he said.

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...