How to Sign In
Cengage Technology & Computing Blog
Showing results for 
Search instead for 
Did you mean: 
Bountiful Bug Bounties

[Reading Time - 3 minutes 4 seconds]


If you have software, you will have software bugs; that's just a simple fact of life. Even if you follow secure coding techniques bugs will surface. Some of these bugs are benign and do not cause much harm. Other bugs can be much more dangerous, especially if they introduce security vulnerabilities.


For many years large corporations have paid security researchers to uncover security bugs in their products and then privately report them so that the bugs can be patched before threat actors find them. These are called "bug bounties." Google, who started its program back in November 2010, pays anywhere from $100 to $31,337 per bug. While that may not sound like much, in 2017 (the last full year on record) Google paid $2.8 million in bug bounties. Google also maintains a bug bounty "Hall of Fame" for those who have uncovered the most important bugs.


Oath, the Verizon subsidiary that manages Yahoo!, AOL and Tumblr, invited 40 security researchers in April 2018 to a live hacking event. Over the course of just one day, hundreds of bugs were discovered, netting a total bug bounty of over $400,000. Oath held a second event in November 2018 (this time over three days) and 159 vulnerabilities were discovered, resulting in another payout of over $400,000. It's estimated that Oath paid over $5 million for bugs in 2018.


There are several other players that offer bug bounties. But two in particular are perhaps not those who would first come to mind for buying bugs.


The European Commission (EC) is offering bug bounties for security vulnerabilities that are uncovered in some of the most popular free and open source software. Who is the EC? They are part of the European Union (EU) and are responsible for essentially managing the daily affairs of the EU. Why would they be part of a bug bounty program? It's because a threat actor who can uncover and leverage a software bug could steal sensitive and important EU information and then use it to expose or embarrass the EU or EC. And it's already happened before: the EC was a victim back in November 2016, and last month (Dec 2018) thousands of diplomatic cables were stolen by attackers.


The programs for which the EC is offering bug bounties reads like a listing of what's on your hard drive: KeePass, 7-zip, Filezilla, VLC, Notepad++, sever-based programs like Apache Tomcat and Drupal, and several other popular tools that the EU institutions rely on. Their bug bounty rewards range from €25,000-€90,000 ($28,600-$103,000).


The second player is Zerodium. Who are they? Zerodium, who first start in 2015, calls itself, "The leading exploit acquisition platform for premium zero-days and advanced cybersecurity capabilities." Zerodium buys bug information and then sells this information to "mainly government organizations in need of specific and tailored cybersecurity capabilities and/or protective solutions to defend against zero-day attacks." In other words, these governments may use the knowledge of these zero-day bugs to defend themselves from future attacks--or they may instead use the information to launch silent attacks against their citizens and other nations.


But the price that Zerodium pays is nothing like Google, Oath, or the other well-known vendors. Zerodium now pays up to $2 million for zero-click jailbreaks {Chapter 10 Security+ 6e} of Apple's iOS, $1.5 million for one-click iOS jailbreaks, and $1 million for exploits that take over the secure messaging apps WhatsApp and iMessage. By "zero-click" it simply means that this would not require the user to perform any action whatsoever: once the malware was pushed out to the device it would immediately begin its work. They also are offering $1 million for a zero-click remote code execution (RCE) attack in Windows. RCE allows an attacker to access another device and manipulate it. In fact, in this week's (Jan 8 2019) first Patch Tuesday update of 2019 Microsoft focused on RCE vulnerabilities, with half of 47 the total patches addressing RCE issues.


And these are significant increases in price. Each of the aforementioned examples is a $500,000 increase over previously advertised Zerodium prices.


Some have speculated that the dramatic increase in Zerodium's prices is because these vulnerabilities are harder to find, and they say perhaps it's because we're getting at security. That's hardly the case. More likely, there is probably just a higher demand from governments for these vulnerabilities.


At any rate, it's an arms race to see who can find the security vulnerability bugs first: the attackers (so they can exploit them), the companies like Google and Oath (so they can patch them), or exploit acquisition platforms (so they can sell them to others).