The zero-day bounty hunters
Posted on 7 Dec 2012 at 14:54
Davey Winder explores the hidden world of the bounty-hunting security researcher, finding vulnerabilities for fun and profit
Fewer than 1% of the exploits detected by Microsoft in the first half of last year were against so-called zero-day vulnerabilities – those that were previously unknown. That figure raises a question: if the vast majority of real-world exploits are “known threats”, what makes zero days so valuable that they have spawned a hidden industry of bounty-hunting researchers?
Most people are comfortable with the idea of hiring penetration testers to poke holes in the corporate network, highlight the failings, and ultimately make those defences stronger. However, apply the same principle to software security and throw it into the free market, and that comfort zone is well and truly breached.
Q&A: The inside storyAn ethical hacker tells us about the life of a bug bounty hunter
This is the grey marketplace of security technology, where software giants pay huge sums to individuals to find holes in their products before the bad guys can exploit them. Not everyone in the IT security industry is happy with this “bounty hunter” approach to bug squashing, and the subject of zero days is becoming increasingly controversial thanks to their use in state-sponsored cyberweapons such as Stuxnet. In this feature, we explore this booming market and hear both sides of the argument.
The 1% equation
If, as Microsoft’s research suggests, 99% of exploits are against known vulnerabilities that remain unpatched by either the vendor or the user, then why is there all the fuss about the other 1%?
The likelihood of encountering a zero day as an individual business user is pretty low, not least because the shelf life of such an attack is limited to the short period between launch, detection and patching. The usefulness of a zero day exists only until that patch is available, which means that they tend to be reserved for attacks against high-profile and high-value targets. Stuxnet, for example, employed four zero-day exploits, and was used as a state-sponsored attack against another nation state.
As Sean Sutton, director of Deloitte Cyber Threat & Vulnerability Management Services, says: “This would suggest that you’re more likely to be hit by a zero day if you work at an organisation that could be targeted by this sort of high-level attacker – for example, if you work in the defence industry or are dealing with industrial secrets.”
It also provides the answer to the value question: zero days are valuable because they’re in such limited supply and, generally speaking, can be used only once before they become compromised. If you want to pull the trigger on that initial launch, you have to pay the going rate on the dark market.
The zero-day dark market
This dark market for zero days doesn’t just exist, it’s booming. An investigation by Forbes magazine earlier this year put together a price list for zero-day exploits based upon the vendor/product targeted; it ranged from around £1,000 to in excess of £100,000. The prices required an exclusive sale (the value of a zero day is immediately and fatally diluted once the exploit is distributed) and a promise that the vendor hadn’t been notified. Some were sold with staggered payments, the balance only being payable while the vendor had yet to release a patch.
The Google Pwnium security challenge earlier this year offered $1 million in rewards for people hacking the Chrome browser
That same investigation also spoke with a zero-day exploit broker, acting as a go-between for the security researchers who uncover these exploits and the “government hackers” who purchase them, no questions asked, for big bucks – as much as $250,000 in one case. It seems that state-sponsored hacking has deep pockets.
However, what about the flip side of the coin, where security researchers sell their discoveries to the vendors whose software is vulnerable to attack? Sam Stepanyan, a senior security consultant at Integralis, says vendors such as Google set a limit on the reward they’re prepared to pay. In the case of the Google “Elite” programme, it’s the strange figure of $3,133.7 – strange, that is, until you realise it spells “elite” in hacker speak.
However, the Google Pwnium security challenge earlier this year offered $1 million in rewards for people hacking the Chrome browser, and the only two entrants each picked up $60,000 for their zero-day exploits.
The point is that most vendors will pay for the information required to enable them to secure their products before the vulnerability in question can be exploited. The only variable is how much they’re willing to spend.
For more details about purchasing this feature and/or images for editorial usage, please contact Jasmine Samra on firstname.lastname@example.org
- What is Google Inbox?
- Windows 10 release date, features and how to get the Technical Preview
- Google announces the Nexus 6, Nexus 9 and the arrival of Android Lollipop
- Lenovo and Ashton Kutcher launch Yoga Tablet 2 Pro, Yoga Tablet 2 and Yoga 3 Pro
- Lenovo Yoga event live stream: watch Ashton Kutcher's tablet launch live
- HTC shows off Desire Eye selfie phone and periscope-like camera
- Xim: the slideshow app to get excited about
- Adobe has more apps for iOS, but none for Android
- How to download and install Windows 10 Technical Preview
- iPhone 6 Plus "less likely to bend than HTC One"
- Google Glass: mugger bait, pub problem and other lessons learned from two dangerous weeks
- Twitter, please don't fiddle with my feed
- How Satya Nadella can get some pay-raise karma
- Windows 10: a step back to go forward
- Michael Dell: Cloud infrastructure is the roads, bridges and highways of the 21st century
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords