Zerodium’s waving fatter payouts for zero-day bug hunters

Exploit buyer and seller Zerodium has once again jacked up what it’s willing to pay for zero-days.

On Monday, it announced new, bigger payouts, including up to $2 million for remote iOS jailbreaks and a doubled bounty, now $1 million, for remote code execution (RCE) vulnerabilities in chat apps WhatsApp, iMessage or other SMS/MMS apps.

The less user interaction an exploit requires, the fatter the payout. The maximum payout of $2m (up from the previous $1.5m) – for the remote iOS jailbreak – is reserved for an exploit that requires no clicks. Another that requires minimal user interaction – one click – is now fetching $1.5m, which is up from $1m.

Those figures might be eye-poppers, but this isn’t the first time, by any means, that we’ve seen exploit merchants buying zero-days for multiple times what manufacturers pay out. In August 2016, Exodus Intelligence was offering 2.5 times what Apple would pay for serious iOS exploits.

They can afford it, given what they’re selling those zero-days for. Around that time, a report from NSS Labs said that said that Exodus Intelligence’s customers were paying annual subscription fees that started at around $200,000 for access to its exploit database.

The report quoted Exodus Intelligence co-founder Aaron Portnoy as saying that Exodus was interested in delivering the nastiest of the nasties:

We try to make them as nasty and invasive as possible. We tout what we deliver as indicative of or surpassing the current technical capabilities of people who are actually actively attacking others.

…which can mean that exploit brokers’ customers could be on the side of the good guys – say, antivirus vendors who want to protect people from newly discovered holes – or that they could be on the offensive, interested in using undisclosed exploits to target systems themselves.

Zerodium has a similar business model: the US company, founded in 2015, says that its customers are mainly government organizations “in need of specific and tailored cybersecurity capabilities and/or protective solutions to defend against zero-day attacks” in the form of its Security Research Feed product.

As of September 2015, Zerodium was spending between $400,000 to $600,000 per month for vulnerability acquisitions and expected to spend around $1m per month before the end of the year – above and beyond the $1m it was offering for an iOS 9 bug at the time – according to what founder Chaouki Bekrar told eWEEK at the time.

More recently, with regards to the new payouts for zero-days it announced on Monday, Bekrar told SecurityWeek that the company’s customers are using the zero-days for good: for example, it’s acquired high-end Tor exploits that Zerodium customers have used to “fight crime and child abuse, and make the world a better and safer place for all.”

That sounds good, doesn’t it? If only we could be certain that the lucrative market for zero-days was only serving the good guys. In fact, Bekrar said, only a very limited number of governments and corporations can acquire the zero-days the firm peddles.

In the hands of intelligence agencies

As we’ve written about in the past, there are two sides to the debate over how much vulnerability information US intelligence agencies, for one, should hoard, as well as how they should use the vulnerabilities found in software used by their own citizens.

One side holds that a crucial element of protecting the homeland is for intelligence agencies to maintain a secret stash of vulnerabilities in order to intercept the communications or cyber weapons of criminals, terrorists and hostile governments. The other side of the coin is that those secrets don’t always stay secret. Vulnerabilities that fall into the hands of malicious actors can be exploited to attack millions of innocent users, or critical systems, before they’re patched: not a great outcome for protecting the homeland.

That’s not just theoretical: it happened in 2016, when the Shadow Brokers hackers released a cache of top-secret cyber attack tools, presumed to belong to the National Security Agency (NSA).

Another problem with zero-days being hoarded, or sold, or inadvertently leaked, or otherwise not being reported to the product manufacturers whose priority it is to close the holes and keep their customers and their data safe, is that zero-days can be used to install backdoors or malware.

As Motherboard reported in August when covering the exploit purchaser and Zerodium competitor Crowdfense, governments use zero-days and other exploits unknown to software manufacturers in order to install malware on devices. Think of the FBI’s ongoing zeal to cripple iOS encryption, in order to install backdoors onto iPhones so agents can intercept messages before they get encrypted, or to remotely turn on a device’s microphone and turn it into a surreptitious recording device.

Crowdfense’s platform is making it easier for researchers to submit and sell individual exploits, piecemeal, without the need for a full exploit chain. Zerodium’s bounties are getting as fat as calves ready for the slaughter, and it’s easy to see why: there are plenty of governments, law enforcement agents and organizations with cash in hand, willing and able to snap up those security bugs, be it for good or evil.

To all of you bug hunters who choose to pass up huge payouts in order to instead ethically disclose vulnerabilities to the manufacturers, we don’t say this often enough, but we’re saying it now: thank you.