Concerns about the growing unpredictability of the software vulnerability disclosure environment have been widespread in recent months, with many companies wondering how they can keep ahead of the market for zero-day exploits in their software. As black market and gray market vulnerability prices increase, some researchers are becoming less inclined to seek out the reward of traditional bug bounties. A recent New York Times article offered the latest exploration of the topic, reporting that a zero-day exploit for Apple iOS had recently sold for half a million dollars, according to two confidential sources.
Additionally, the publication reported that the average flaw now sells from around $35,000 to $160,000, and several gray market vulnerability resellers noted that their revenues had doubled in recent years. With the average exploit going undiscovered for 312 days, criminals and governments are eager to take advantage of vulnerabilities to spy on people or extract data. Countries such as the United States, Israel, Britain, Russia, India and Brazil are all among the top spenders. Market institutions such as brokers have appeared, and some hackers receive royalties the longer their flaw goes without being discovered. Compared to such a robust market, companies are having trouble competing.
Wrestling with the market
Many organizations offer bug bounty programs, but prizes for flaws in Google or Facebook software generally top out around $20,000. Microsoft recently announced that it would pay as much as $150,000 for certain individual flaws. Still, next to the cash offered by government and intelligence agencies interested in gaining access to such flaws, these sums are minor, security expert Graham Cluley explained in a blog post analyzing the article.
“The truth is that the likes of Google and Microsoft are never likely to be able to pay as much for a security vulnerability as the US or Chinese intelligence agencies,” he wrote. “And, of course, if a government or intelligence agency has paid through the nose for an unpatched zero-day exploit, they’re hardly likely to tell the rest of the world about the security issue.”
Further contributing to the issue is that hackers increasingly see their work as worthy of payment, the New York Times reported. Some have suggested that such research is professional work, and it’s unethical for vendors or security companies who make money off of it to not pay them.
Improving application security
Given the rising cost of purchasing zero-day exploits from researchers, organizations have a strong incentive to eliminate errors from software prior to release. Using a secure development lifecycle that incorporates approaches such as static analysis software and peer code review, organizations can reduce the likelihood that vulnerabilities will make it to release. In turn, they won’t have to worry about competing with deep-pocketed, unknown buyers when the next $500,000 exploit surfaces. And the reality of such offers coming along to hackers is inevitable, Howard Schmidt, a former White House cybersecurity coordinator, told the New York Times.
“If someone comes to you with a bug that could affect millions of devices and says, ‘You would be the only one to have this if you pay my fee,’ there will always be someone inclined to pay it,” he said.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.