The zero-day bounty hunters
Posted on 7 Dec 2012 at 14:54
Davey Winder explores the hidden world of the bounty-hunting security researcher, finding vulnerabilities for fun and profit
Fewer than 1% of the exploits detected by Microsoft in the first half of last year were against so-called zero-day vulnerabilities – those that were previously unknown. That figure raises a question: if the vast majority of real-world exploits are “known threats”, what makes zero days so valuable that they have spawned a hidden industry of bounty-hunting researchers?
Most people are comfortable with the idea of hiring penetration testers to poke holes in the corporate network, highlight the failings, and ultimately make those defences stronger. However, apply the same principle to software security and throw it into the free market, and that comfort zone is well and truly breached.
Q&A: The inside storyAn ethical hacker tells us about the life of a bug bounty hunter
This is the grey marketplace of security technology, where software giants pay huge sums to individuals to find holes in their products before the bad guys can exploit them. Not everyone in the IT security industry is happy with this “bounty hunter” approach to bug squashing, and the subject of zero days is becoming increasingly controversial thanks to their use in state-sponsored cyberweapons such as Stuxnet. In this feature, we explore this booming market and hear both sides of the argument.
The 1% equation
If, as Microsoft’s research suggests, 99% of exploits are against known vulnerabilities that remain unpatched by either the vendor or the user, then why is there all the fuss about the other 1%?
The likelihood of encountering a zero day as an individual business user is pretty low, not least because the shelf life of such an attack is limited to the short period between launch, detection and patching. The usefulness of a zero day exists only until that patch is available, which means that they tend to be reserved for attacks against high-profile and high-value targets. Stuxnet, for example, employed four zero-day exploits, and was used as a state-sponsored attack against another nation state.
As Sean Sutton, director of Deloitte Cyber Threat & Vulnerability Management Services, says: “This would suggest that you’re more likely to be hit by a zero day if you work at an organisation that could be targeted by this sort of high-level attacker – for example, if you work in the defence industry or are dealing with industrial secrets.”
It also provides the answer to the value question: zero days are valuable because they’re in such limited supply and, generally speaking, can be used only once before they become compromised. If you want to pull the trigger on that initial launch, you have to pay the going rate on the dark market.
The zero-day dark market
This dark market for zero days doesn’t just exist, it’s booming. An investigation by Forbes magazine earlier this year put together a price list for zero-day exploits based upon the vendor/product targeted; it ranged from around £1,000 to in excess of £100,000. The prices required an exclusive sale (the value of a zero day is immediately and fatally diluted once the exploit is distributed) and a promise that the vendor hadn’t been notified. Some were sold with staggered payments, the balance only being payable while the vendor had yet to release a patch.
The Google Pwnium security challenge earlier this year offered $1 million in rewards for people hacking the Chrome browser
That same investigation also spoke with a zero-day exploit broker, acting as a go-between for the security researchers who uncover these exploits and the “government hackers” who purchase them, no questions asked, for big bucks – as much as $250,000 in one case. It seems that state-sponsored hacking has deep pockets.
However, what about the flip side of the coin, where security researchers sell their discoveries to the vendors whose software is vulnerable to attack? Sam Stepanyan, a senior security consultant at Integralis, says vendors such as Google set a limit on the reward they’re prepared to pay. In the case of the Google “Elite” programme, it’s the strange figure of $3,133.7 – strange, that is, until you realise it spells “elite” in hacker speak.
However, the Google Pwnium security challenge earlier this year offered $1 million in rewards for people hacking the Chrome browser, and the only two entrants each picked up $60,000 for their zero-day exploits.
The point is that most vendors will pay for the information required to enable them to secure their products before the vulnerability in question can be exploited. The only variable is how much they’re willing to spend.
For more details about purchasing this feature and/or images for editorial usage, please contact Jasmine Samra on email@example.com
- Google promises faster Chrome with 64-bit support
- iPhone 6 release date, rumours, specs and features: when is the iPhone 6 coming out in the UK?
- Sony Xperia Z3 specs leak online
- Windows 8.2/Windows 9: release date, features and free cloud version
- Samsung Galaxy Alpha release date, specs and rumoured price in the UK
- Vodafone has worst reception but Ofcom tests questioned
- Boxed iPhone 6 photos leak online
- Still on IE8? You've got 18 months to upgrade
- iPhone 6 launch event tipped for 9 September
- Feature updates coming to Patch Tuesday
- 20 years of PC Pro: our best covers
- Why we've closed the PC Pro forums
- How to turn off Google Location Tracking
- 20 years of PC Pro: our greatest review mistakes
- 20 years of PC Pro: our first A-List
- Wikipedia's "right to be forgotten" protest hits the wrong note
- 3D printing hits the high street for plastic selfies
- 20 years of PC Pro: What amazed us in our first issue
- How Google Glass ruined my lunch hour
- Smartphone battery packs: can a USB power pack beat the festival battery blues?
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords