Bug Bounty Awards Climb as Software Security ImprovesTop reward for iOS remote exploit hits $2 million, as companies who sell exploits to national governments have to offer more money to attract researchers to tackle increasingly secure software.
Exploit techniques for some zero-day software vulnerabilities just got even more lucrative for security researchers willing to sell them as cybersecurity intelligence firm Zerodium this week raised its payout for exploits - in some cases, doubling the awards.
Zerodium doubled the bounty it pays for unknown exploits targeting popular operating systems and software programs. It now pays up to $2 million for a flaw that could exploit Apple's iOS mobile operating system without any victim interaction, for example. Vulnerabilities in messaging applications, such as WhatsApp and iMessage, could earn up to $1 million, the company said.
"There is a significant increase in demands for remote exploits targeting messaging apps such as WhatsApp from our government customers as these apps are sometimes the only communication channel used by targets and end-to-end encryption makes it very difficult for governments to intercept these messages," Chaouki Bekrar, CEO at Zerodium, said in an e-mail interview. "Having the ability to remotely and directly compromise these apps without compromising the whole target phone is much more effective and we're increasing our prices to reflect this strategic need."
The increasing bounties that governments and companies are willing to pay for vulnerabilities highlights the greater difficulties that researchers have finding flaws in the most popular operating systems and products. Last year, both Google and Microsoft raised the amounts that they pay for specific classes of vulnerabilities. An exploitable flaw in Android will currently fetch up to $200,000 from Google.
Governments are likely paying for iPhone exploits because they are increasingly running into locked phones that they need to access. Similarly, using vulnerabilities in messaging programs allows government to intercept and monitor private messages.
"At this price, they certainly aren’t being used to generate patches and IPS (intrusion prevention system) signatures," said Brian Gorenc, the director of vulnerability research at Trend Micro and leader of the firm's Zero Day Initiative program. "Governments, corporations, and other agencies with large financial resources can and do acquire these exploits to use for their own benefit."
Yet, other experts argue that the increase in price is driven more by a lack of supply—too few usable exploits in the public domain—and less about the demand countries have to exploit specific products. The high prices of exploitable iOS vulnerabilities are because there are so few exploits for the mobile operating system, says Dmitri Alperovich, co-founder and chief technology officer of CrowdStrike, a cybersecurity services firm.
"Finding these issues is no longer in the realm in an amateur first-year computer-science student takling a couple of hours and finding an exploit, like we saw 20 years ago," he said. "Now it requires a very dedicated person. It is a permanent and full-time job, not a hobby you can do on the side."
The high prices garnered for the sale of weaponized vulnerabilities to government agencies and large companies is a sore point for many in the defensive side of the industry. Trend Micro's Zero Day Initiative, for example, buys vulnerability information from researchers and then works with third-party software firms to confirm and close the security holes.
"Researchers who sell exploits on the gray market need to understand their work can be used by others for any reason at all—even regimes who haven’t been labeled as 'repressive' actively try to acquire these types of exploits, and rarely do they report the bug to the vendor for remediation," says ZDI's Gorenc.
Most researchers continue to sell to the defensive bug bounty programs, said Marten Mickos, CEO of HackerOne, a firm that helps companies run bug bounty programs. He puts the premium payments in black-and-white terms, couching the money as a downpayment on researcher's ethics.
"This effectively becomes the ratio of goodness in the world," he says. "If you are a 'bad' player, you haver to offer 20 times more to attract the attention of researchers."
For that reason, the bug bounty programs are not worried about the competion of the high-paying exploitation firms, says Trend Micro's Gorenc.
"We do believe we can compete with gray market vendors because we provide a different experience," he said, highlighting the researchers submitting vulnerabilities to ZDI can discuss the issue at conference and get credit for the discovery. "White market bounty programs might not pay as much as gray or black market programs, but by providing other benefits, we continue to have success as evidenced by having our biggest year ever with over 1,400 advisories published."
Yet, Zerodium is finding that plenty of researchers continue to submit exploitable bugs to its program.
"The truth is that exploitation is harder, it takes longer, but more researchers are looking into these targets," says Zerodium's Bekrar. The company will continue to increase its prices to keep "the momentum and encourage researchers to keep hunting for exploits," he said.
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio