Vulnerabilities / Threats

Bug Bounty Awards Climb as Software Security Improves

Top reward for iOS remote exploit hits $2 million, as companies who sell exploits to national governments have to offer more money to attract researchers to tackle increasingly secure software.

Exploit techniques for some zero-day software vulnerabilities just got even more lucrative for security researchers willing to sell them as cybersecurity intelligence firm Zerodium this week raised its payout for exploits - in some cases, doubling the awards.

Zerodium doubled the bounty it pays for unknown exploits targeting popular operating systems and software programs. It now pays up to $2 million for a flaw that could exploit Apple's iOS mobile operating system without any victim interaction, for example. Vulnerabilities in messaging applications, such as WhatsApp and iMessage, could earn up to $1 million, the company said.

"There is a significant increase in demands for remote exploits targeting messaging apps such as WhatsApp from our government customers as these apps are sometimes the only communication channel used by targets and end-to-end encryption makes it very difficult for governments to intercept these messages," Chaouki Bekrar, CEO at Zerodium, said in an e-mail interview. "Having the ability to remotely and directly compromise these apps without compromising the whole target phone is much more effective and we're increasing our prices to reflect this strategic need."

The increasing bounties that governments and companies are willing to pay for vulnerabilities highlights the greater difficulties that researchers have finding flaws in the most popular operating systems and products. Last year, both Google and Microsoft raised the amounts that they pay for specific classes of vulnerabilities. An exploitable flaw in Android will currently fetch up to $200,000 from Google.

Governments are likely paying for iPhone exploits because they are increasingly running into locked phones that they need to access. Similarly, using vulnerabilities in messaging programs allows government to intercept and monitor private messages. 

"At this price, they certainly aren’t being used to generate patches and IPS (intrusion prevention system) signatures," said Brian Gorenc, the director of vulnerability research at Trend Micro and leader of the firm's Zero Day Initiative program. "Governments, corporations, and other agencies with large financial resources can and do acquire these exploits to use for their own benefit."

Supply Side

Yet, other experts argue that the increase in price is driven more by a lack of supply—too few usable exploits in the public domain—and less about the demand countries have to exploit specific products. The high prices of exploitable iOS vulnerabilities are because there are so few exploits for the mobile operating system, says Dmitri Alperovich, co-founder and chief technology officer of CrowdStrike, a cybersecurity services firm.

"Finding these issues is no longer in the realm in an amateur first-year computer-science student takling a couple of hours and finding an exploit, like we saw 20 years ago," he said. "Now it requires a very dedicated person. It is a permanent and full-time job, not a hobby you can do on the side."

The high prices garnered for the sale of weaponized vulnerabilities to government agencies and large companies is a sore point for many in the defensive side of the industry. Trend Micro's Zero Day Initiative, for example, buys vulnerability information from researchers and then works with third-party software firms to confirm and close the security holes. 

"Researchers who sell exploits on the gray market need to understand their work can be used by others for any reason at all—even regimes who haven’t been labeled as 'repressive' actively try to acquire these types of exploits, and rarely do they report the bug to the vendor for remediation," says ZDI's Gorenc.

Most researchers continue to sell to the defensive bug bounty programs, said Marten Mickos, CEO of HackerOne, a firm that helps companies run bug bounty programs. He puts the premium payments in black-and-white terms, couching the money as a downpayment on researcher's ethics.

"This effectively becomes the ratio of goodness in the world," he says. "If you are a 'bad' player, you haver to offer 20 times more to attract the attention of researchers."

For that reason, the bug bounty programs are not worried about the competion of the high-paying exploitation firms, says Trend Micro's Gorenc.

"We do believe we can compete with gray market vendors because we provide a different experience," he said, highlighting the researchers submitting vulnerabilities to ZDI can discuss the issue at conference and get credit for the discovery. "White market bounty programs might not pay as much as gray or black market programs, but by providing other benefits, we continue to have success as evidenced by having our biggest year ever with over 1,400 advisories published."

Yet, Zerodium is finding that plenty of researchers continue to submit exploitable bugs to its program.

"The truth is that exploitation is harder, it takes longer, but more researchers are looking into these targets," says Zerodium's Bekrar. The company will continue to increase its prices to keep "the momentum and encourage researchers to keep hunting for exploits," he said.

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Julian Assange Arrested in London
Dark Reading Staff 4/11/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
The Single Cybersecurity Question Every CISO Should Ask
Arif Kareem, CEO, ExtraHop,  4/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11320
PUBLISHED: 2019-04-18
In Motorola CX2 1.01 and M2 1.01, users can access the router's /priv_mgt.html web page to launch telnetd, as demonstrated by the 192.168.51.1 address.
CVE-2019-11321
PUBLISHED: 2019-04-18
An issue was discovered in Motorola CX2 1.01 and M2 1.01. The router opens TCP port 8010. Users can send hnap requests to this port without authentication to obtain information such as the MAC addresses of connected client devices.
CVE-2019-11322
PUBLISHED: 2019-04-18
An issue was discovered in Motorola CX2 1.01 and M2 1.01. There is a command injection in the function startRmtAssist in hnap, which leads to remote code execution via shell metacharacters in a JSON value.
CVE-2019-8999
PUBLISHED: 2019-04-18
An XML External Entity vulnerability in the UEM Core of BlackBerry UEM version(s) earlier than 12.10.1a could allow an attacker to potentially gain read access to files on any system reachable by the UEM service account.
CVE-2018-17168
PUBLISHED: 2019-04-18
PrinterOn Enterprise 4.1.4 contains multiple Cross Site Request Forgery (CSRF) vulnerabilities in the Administration page. For example, an administrator, by following a link, can be tricked into making unwanted changes to a printer (Disable, Approve, etc).