The zero-day bounty hunters
Posted on 7 Dec 2012 at 14:54
Davey Winder explores the hidden world of the bounty-hunting security researcher, finding vulnerabilities for fun and profit
Fewer than 1% of the exploits detected by Microsoft in the first half of last year were against so-called zero-day vulnerabilities – those that were previously unknown. That figure raises a question: if the vast majority of real-world exploits are “known threats”, what makes zero days so valuable that they have spawned a hidden industry of bounty-hunting researchers?
Most people are comfortable with the idea of hiring penetration testers to poke holes in the corporate network, highlight the failings, and ultimately make those defences stronger. However, apply the same principle to software security and throw it into the free market, and that comfort zone is well and truly breached.
Q&A: The inside storyAn ethical hacker tells us about the life of a bug bounty hunter
This is the grey marketplace of security technology, where software giants pay huge sums to individuals to find holes in their products before the bad guys can exploit them. Not everyone in the IT security industry is happy with this “bounty hunter” approach to bug squashing, and the subject of zero days is becoming increasingly controversial thanks to their use in state-sponsored cyberweapons such as Stuxnet. In this feature, we explore this booming market and hear both sides of the argument.
The 1% equation
If, as Microsoft’s research suggests, 99% of exploits are against known vulnerabilities that remain unpatched by either the vendor or the user, then why is there all the fuss about the other 1%?
The likelihood of encountering a zero day as an individual business user is pretty low, not least because the shelf life of such an attack is limited to the short period between launch, detection and patching. The usefulness of a zero day exists only until that patch is available, which means that they tend to be reserved for attacks against high-profile and high-value targets. Stuxnet, for example, employed four zero-day exploits, and was used as a state-sponsored attack against another nation state.
As Sean Sutton, director of Deloitte Cyber Threat & Vulnerability Management Services, says: “This would suggest that you’re more likely to be hit by a zero day if you work at an organisation that could be targeted by this sort of high-level attacker – for example, if you work in the defence industry or are dealing with industrial secrets.”
It also provides the answer to the value question: zero days are valuable because they’re in such limited supply and, generally speaking, can be used only once before they become compromised. If you want to pull the trigger on that initial launch, you have to pay the going rate on the dark market.
The zero-day dark market
This dark market for zero days doesn’t just exist, it’s booming. An investigation by Forbes magazine earlier this year put together a price list for zero-day exploits based upon the vendor/product targeted; it ranged from around £1,000 to in excess of £100,000. The prices required an exclusive sale (the value of a zero day is immediately and fatally diluted once the exploit is distributed) and a promise that the vendor hadn’t been notified. Some were sold with staggered payments, the balance only being payable while the vendor had yet to release a patch.
The Google Pwnium security challenge earlier this year offered $1 million in rewards for people hacking the Chrome browser
That same investigation also spoke with a zero-day exploit broker, acting as a go-between for the security researchers who uncover these exploits and the “government hackers” who purchase them, no questions asked, for big bucks – as much as $250,000 in one case. It seems that state-sponsored hacking has deep pockets.
However, what about the flip side of the coin, where security researchers sell their discoveries to the vendors whose software is vulnerable to attack? Sam Stepanyan, a senior security consultant at Integralis, says vendors such as Google set a limit on the reward they’re prepared to pay. In the case of the Google “Elite” programme, it’s the strange figure of $3,133.7 – strange, that is, until you realise it spells “elite” in hacker speak.
However, the Google Pwnium security challenge earlier this year offered $1 million in rewards for people hacking the Chrome browser, and the only two entrants each picked up $60,000 for their zero-day exploits.
The point is that most vendors will pay for the information required to enable them to secure their products before the vulnerability in question can be exploited. The only variable is how much they’re willing to spend.
For more details about purchasing this feature and/or images for editorial usage, please contact Jasmine Samra on email@example.com
- Sony warns of fresh VAIO battery fires
- 4G version of Surface 2 launched in the UK
- BlackBerry CEO says not selling off phones "any time soon"
- 13 May: the day we'll know if Microsoft is really abandoning Windows XP
- Office for iPad hits 12m downloads, but receives poor reviews
- Windows Phone 8.1 gets its own PA: Cortana
- 24m vulnerable home routers ready to launch DDoS attacks
- Mozilla's Eich: my views on gay marriage are irrelevant
- Windows support scam ringleader convicted
- Intel takes $740m bet on big data firm, Cloudera
- Windows 8.1 Update: an abject surrender
- The insane economics of Sky Now TV
- No such thing as a free app... so pay up if you want quality
- Time to outlaw crapware-laden installers
- Windows Phone 8.1 video: hands-on
- Office for iPad: key information
- Why every PC buyer owes Richard Durkin a debt of gratitude
- HTC One M8 vs Samsung Galaxy S5: 2014's big-hitters compared
- Windows XP end of life: key information
- Cut out the broadband jargon? What jargon?
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords