Zerodium is offering a $1.5 million bounty for iOS 10 zero-day exploits. This is the latest of escalating vulnerability bounties to security researchers. It may seem excessive, but this is a market driven by demand. Crowd-sourcing to fill such needs is becoming more popular, as it is successful. Bug and exploit bounty programs have an important function to play. They offer a counter-balance for different purposes, but collectively contribute to push the industry forward to a more mature state. In modeling the future, both will play an increasing role.
Zerodium is a leader in one side of the equation, coordinating bounties for independent security researchers, hackers, and technologist who are motivated by money and capable of discovering vulnerabilities and developing working exploits. This gives buyers the ability to hack products. Other bug bounty corporate programs and companies do the opposite. They offer bounties on behalf of the technology companies, who seek to close vulnerability discoveries crowdsourced for their products. Microsoft, Facebook, Twitter, and many other companies run their own very successful bug bounty programs. External companies are also available, which can coordinate the work. HackerOne and Bugcrowd are two of the largest, who help their clients leverage the security research community to find vulnerabilities. HackerOne CEO Marten Mickos recently stated his company has paid over $10 million in bounties to date! Weaknesses are then corrected before exploits appear in the wild. Apple recently shifted its policy and joined the growing number of companies who leverage open security research resources to locate these vulnerabilities in their products. Many companies still shun the practice and only test their product in-house, without the help of external teams, and do not offer rewards.
Not all bounty programs are the same. It is noble to help software and hardware companies make more secure products, but rarely pays anywhere near what selling an exploit to a market coordination firm, which sells them to a specific client or to the highest bidder(s).
Apple’s bug-bounty program offers a respectable $200,000 reward. This is paltry compared to the recent offering by Zerodium for $1.5 million for an iOS zero-day exploit. It is not the first time Zerodium has offered a seven figure bounty. In November, the company paid out $1 million to three different iOS 9 zero-day exploits.
I have always been a big fan of bug bounty programs. I believe it brings in a necessary element of diversity and tremendous resources to bear against finding legitimate weaknesses in products. It can be costly, but not as much as when products are hacked. Collectively, this puts pressure on companies to deliver hardened products, which benefits everyone. These rewards cover a large range of different software, services, and devices.
The combination of these programs gives choices to security researchers. There is more money to be made by selling exploits to brokers, but who knows where and how they will be used. Nation States are purportedly big buyers from such middlemen. The FBI recently spent over a million dollars to purchase an iOS exploit to get into an iPhone. On the other hand, helping make technology more secure, by going through the product companies has monetary as well as fame, moral, and employment opportunity rewards. Either path is better than hackers using the exploits themselves for their own direct benefit.
One thing is for certain, this practice is here to stay and the prices are likely to climb as technology plays a more crucial part in controlling and managing people’s lives, perceptions, and critical online services.
Image Credit/Source: https://www.zerodium.com/program.html