Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Bug Bounty Awards Climb as Software Security Improves

Top reward for iOS remote exploit hits $2 million, as companies who sell exploits to national governments have to offer more money to attract researchers to tackle increasingly secure software.

Exploit techniques for some zero-day software vulnerabilities just got even more lucrative for security researchers willing to sell them as cybersecurity intelligence firm Zerodium this week raised its payout for exploits - in some cases, doubling the awards.

Zerodium doubled the bounty it pays for unknown exploits targeting popular operating systems and software programs. It now pays up to $2 million for a flaw that could exploit Apple's iOS mobile operating system without any victim interaction, for example. Vulnerabilities in messaging applications, such as WhatsApp and iMessage, could earn up to $1 million, the company said.

"There is a significant increase in demands for remote exploits targeting messaging apps such as WhatsApp from our government customers as these apps are sometimes the only communication channel used by targets and end-to-end encryption makes it very difficult for governments to intercept these messages," Chaouki Bekrar, CEO at Zerodium, said in an e-mail interview. "Having the ability to remotely and directly compromise these apps without compromising the whole target phone is much more effective and we're increasing our prices to reflect this strategic need."

The increasing bounties that governments and companies are willing to pay for vulnerabilities highlights the greater difficulties that researchers have finding flaws in the most popular operating systems and products. Last year, both Google and Microsoft raised the amounts that they pay for specific classes of vulnerabilities. An exploitable flaw in Android will currently fetch up to $200,000 from Google.

Governments are likely paying for iPhone exploits because they are increasingly running into locked phones that they need to access. Similarly, using vulnerabilities in messaging programs allows government to intercept and monitor private messages. 

"At this price, they certainly aren’t being used to generate patches and IPS (intrusion prevention system) signatures," said Brian Gorenc, the director of vulnerability research at Trend Micro and leader of the firm's Zero Day Initiative program. "Governments, corporations, and other agencies with large financial resources can and do acquire these exploits to use for their own benefit."

Supply Side

Yet, other experts argue that the increase in price is driven more by a lack of supply—too few usable exploits in the public domain—and less about the demand countries have to exploit specific products. The high prices of exploitable iOS vulnerabilities are because there are so few exploits for the mobile operating system, says Dmitri Alperovich, co-founder and chief technology officer of CrowdStrike, a cybersecurity services firm.

"Finding these issues is no longer in the realm in an amateur first-year computer-science student takling a couple of hours and finding an exploit, like we saw 20 years ago," he said. "Now it requires a very dedicated person. It is a permanent and full-time job, not a hobby you can do on the side."

The high prices garnered for the sale of weaponized vulnerabilities to government agencies and large companies is a sore point for many in the defensive side of the industry. Trend Micro's Zero Day Initiative, for example, buys vulnerability information from researchers and then works with third-party software firms to confirm and close the security holes. 

"Researchers who sell exploits on the gray market need to understand their work can be used by others for any reason at all—even regimes who haven’t been labeled as 'repressive' actively try to acquire these types of exploits, and rarely do they report the bug to the vendor for remediation," says ZDI's Gorenc.

Most researchers continue to sell to the defensive bug bounty programs, said Marten Mickos, CEO of HackerOne, a firm that helps companies run bug bounty programs. He puts the premium payments in black-and-white terms, couching the money as a downpayment on researcher's ethics.

"This effectively becomes the ratio of goodness in the world," he says. "If you are a 'bad' player, you haver to offer 20 times more to attract the attention of researchers."

For that reason, the bug bounty programs are not worried about the competion of the high-paying exploitation firms, says Trend Micro's Gorenc.

"We do believe we can compete with gray market vendors because we provide a different experience," he said, highlighting the researchers submitting vulnerabilities to ZDI can discuss the issue at conference and get credit for the discovery. "White market bounty programs might not pay as much as gray or black market programs, but by providing other benefits, we continue to have success as evidenced by having our biggest year ever with over 1,400 advisories published."

Yet, Zerodium is finding that plenty of researchers continue to submit exploitable bugs to its program.

"The truth is that exploitation is harder, it takes longer, but more researchers are looking into these targets," says Zerodium's Bekrar. The company will continue to increase its prices to keep "the momentum and encourage researchers to keep hunting for exploits," he said.

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
10 Notable Security Acquisitions of 2019 (So Far)
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-9391
PUBLISHED: 2019-06-17
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can also be accessed via port 80 using the url "/port_3480". It seems that the UPnP services provide "request_image" as one of the s...
CVE-2017-9392
PUBLISHED: 2019-06-17
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can also be accessed via port 80 using the url "/port_3480". It seems that the UPnP services provide "request_image" as one of the s...
CVE-2018-18958
PUBLISHED: 2019-06-17
OPNsense 18.7.x before 18.7.7 has Incorrect Access Control.
CVE-2019-5016
PUBLISHED: 2019-06-17
An exploitable arbitrary memory read vulnerability exists in the KCodes NetUSB.ko kernel module which enables the ReadySHARE Printer functionality of at least two NETGEAR Nighthawk Routers and potentially several other vendors/products. A specially crafted index value can cause an invalid memory rea...
CVE-2019-5017
PUBLISHED: 2019-06-17
An exploitable information disclosure vulnerability exists in the KCodes NetUSB.ko kernel module that enables the ReadySHARE Printer functionality of at least two NETGEAR Nighthawk Routers and potentially several other vendors/products. An unauthenticated, remote attacker can craft and send a packet...