The zero-day bounty hunters

7 Dec 2012

Davey Winder explores the hidden world of the bounty-hunting security researcher, finding vulnerabilities for fun and profit

Fewer than 1% of the exploits detected by Microsoft in the first half of last year were against so-called zero-day vulnerabilities – those that were previously unknown. That figure raises a question: if the vast majority of real-world exploits are “known threats”, what makes zero days so valuable that they have spawned a hidden industry of bounty-hunting researchers?

Most people are comfortable with the idea of hiring penetration testers to poke holes in the corporate network, highlight the failings, and ultimately make those defences stronger. However, apply the same principle to software security and throw it into the free market, and that comfort zone is well and truly breached.

This is the grey marketplace of security technology, where software giants pay huge sums to individuals to find holes in their products before the bad guys can exploit them. Not everyone in the IT security industry is happy with this “bounty hunter” approach to bug squashing, and the subject of zero days is becoming increasingly controversial thanks to their use in state-sponsored cyberweapons such as Stuxnet. In this feature, we explore this booming market and hear both sides of the argument.

The 1% equation

If, as Microsoft’s research suggests, 99% of exploits are against known vulnerabilities that remain unpatched by either the vendor or the user, then why is there all the fuss about the other 1%?

The likelihood of encountering a zero day as an individual business user is pretty low, not least because the shelf life of such an attack is limited to the short period between launch, detection and patching. The usefulness of a zero day exists only until that patch is available, which means that they tend to be reserved for attacks against high-profile and high-value targets. Stuxnet, for example, employed four zero-day exploits, and was used as a state-sponsored attack against another nation state.

As Sean Sutton, director of Deloitte Cyber Threat & Vulnerability Management Services, says: “This would suggest that you’re more likely to be hit by a zero day if you work at an organisation that could be targeted by this sort of high-level attacker – for example, if you work in the defence industry or are dealing with industrial secrets.”

It also provides the answer to the value question: zero days are valuable because they’re in such limited supply and, generally speaking, can be used only once before they become compromised. If you want to pull the trigger on that initial launch, you have to pay the going rate on the dark market.

The zero-day dark market

This dark market for zero days doesn’t just exist, it’s booming. An investigation by Forbes magazine earlier this year put together a price list for zero-day exploits based upon the vendor/product targeted; it ranged from around £1,000 to in excess of £100,000. The prices required an exclusive sale (the value of a zero day is immediately and fatally diluted once the exploit is distributed) and a promise that the vendor hadn’t been notified. Some were sold with staggered payments, the balance only being payable while the vendor had yet to release a patch.

The Google Pwnium security challenge earlier this year offered $1 million in rewards for people hacking the Chrome browser

That same investigation also spoke with a zero-day exploit broker, acting as a go-between for the security researchers who uncover these exploits and the “government hackers” who purchase them, no questions asked, for big bucks – as much as $250,000 in one case. It seems that state-sponsored hacking has deep pockets.

However, what about the flip side of the coin, where security researchers sell their discoveries to the vendors whose software is vulnerable to attack? Sam Stepanyan, a senior security consultant at Integralis, says vendors such as Google set a limit on the reward they’re prepared to pay. In the case of the Google “Elite” programme, it’s the strange figure of $3,133.7 – strange, that is, until you realise it spells “elite” in hacker speak.

However, the Google Pwnium security challenge earlier this year offered $1 million in rewards for people hacking the Chrome browser, and the only two entrants each picked up $60,000 for their zero-day exploits.

The point is that most vendors will pay for the information required to enable them to secure their products before the vulnerability in question can be exploited. The only variable is how much they’re willing to spend.

Read more

Analysis