The zero-day bounty hunters

Davey Winder December 10, 2012

Fewer than 1% of the exploits detected by Microsoft in the first half of last year were against so-called zero-day vulnerabilities – those that were previously unknown. That figure raises a question: if the vast majority of real-world exploits are “known threats”, what makes zero days so valuable that they have spawned a hidden industry of bounty-hunting researchers?

Most people are comfortable with the idea of hiring penetration testers to poke holes in the corporate network, highlight the failings, and ultimately make those defences stronger. However, apply the same principle to software security and throw it into the free market, and that comfort zone is well and truly breached.

Q&A: The inside story

An ethical hacker tells us about the life of a bug bounty hunter

This is the grey marketplace of security technology, where software giants pay huge sums to individuals to find holes in their products before the bad guys can exploit them. Not everyone in the IT security industry is happy with this “bounty hunter” approach to bug squashing, and the subject of zero days is becoming increasingly controversial thanks to their use in state-sponsored cyberweapons such as Stuxnet. In this feature, we explore this booming market and hear both sides of the argument.

The 1% equation

If, as Microsoft’s research suggests, 99% of exploits are against known vulnerabilities that remain unpatched by either the vendor or the user, then why is there all the fuss about the other 1%?

The likelihood of encountering a zero day as an individual business user is pretty low, not least because the shelf life of such an attack is limited to the short period between launch, detection and patching. The usefulness of a zero day exists only until that patch is available, which means that they tend to be reserved for attacks against high-profile and high-value targets. Stuxnet, for example, employed four zero-day exploits, and was used as a state-sponsored attack against another nation state.

As Sean Sutton, director of Deloitte Cyber Threat & Vulnerability Management Services, says: “This would suggest that you’re more likely to be hit by a zero day if you work at an organisation that could be targeted by this sort of high-level attacker – for example, if you work in the defence industry or are dealing with industrial secrets.”

It also provides the answer to the value question: zero days are valuable because they’re in such limited supply and, generally speaking, can be used only once before they become compromised. If you want to pull the trigger on that initial launch, you have to pay the going rate on the dark market.

The zero-day dark market

This dark market for zero days doesn’t just exist, it’s booming. An investigation by Forbes magazine earlier this year put together a price list for zero-day exploits based upon the vendor/product targeted; it ranged from around £1,000 to in excess of £100,000. The prices required an exclusive sale (the value of a zero day is immediately and fatally diluted once the exploit is distributed) and a promise that the vendor hadn’t been notified. Some were sold with staggered payments, the balance only being payable while the vendor had yet to release a patch.

The Google Pwnium security challenge earlier this year offered $1 million in rewards for people hacking the Chrome browser

That same investigation also spoke with a zero-day exploit broker, acting as a go-between for the security researchers who uncover these exploits and the “government hackers” who purchase them, no questions asked, for big bucks – as much as $250,000 in one case. It seems that state-sponsored hacking has deep pockets.

However, what about the flip side of the coin, where security researchers sell their discoveries to the vendors whose software is vulnerable to attack? Sam Stepanyan, a senior security consultant at Integralis, says vendors such as Google set a limit on the reward they’re prepared to pay. In the case of the Google “Elite” programme, it’s the strange figure of $3,133.7 – strange, that is, until you realise it spells “elite” in hacker speak.

However, the Google Pwnium security challenge earlier this year offered $1 million in rewards for people hacking the Chrome browser, and the only two entrants each picked up $60,000 for their zero-day exploits.

The point is that most vendors will pay for the information required to enable them to secure their products before the vulnerability in question can be exploited. The only variable is how much they’re willing to spend.

Next Page
Send Email

Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.

You may also like
How to Add Bullet Points in Google Sheets

Lee Stanton December 3, 2023

delete all photos from iPhone
How to Delete All Photos from Your iPhone (Without Losing Them for Good)

Cassandra McBride December 3, 2023

Google Sheets How to Insert Drop Down
How to Insert Drop-Down Lists in Google Sheets

Jessie Richardson November 28, 2023

Send To Someone

Missing Device

    Todays Highlights
    How to Change the Location on a FireStick

    Lee Stanton April 1, 2023

    How to See Google Search History
    How to View Your Google Search History

    Steve Larner March 7, 2023

    How to Change Your User Name in Zoom

    Lee Stanton August 23, 2022

    How to Use Inspect Element

    Lee Stanton August 16, 2022

    how to download photos from google photos
    How to Download Photos from Google Photos

    Cassandra McBride December 3, 2022

    How to Change Your Username on Fortnite

    Lee Stanton February 20, 2023