Money for vulns but 0-days ain’t free.

by: Renketsu Link

An interesting point was raised in a comment on an earlier article published at Mondo: To help even the playing ground, why don’t companies offer cash rewards for vulnerabilities so they can be patched prior to publication?  This is not a new idea.  Such operations are called bug bounty programs and have been around since 1995.  the very first bug bounty program was instituted by Netscape (remember that?) as a way of improving their flagship product, Netscape Navigator.  Other companies you may have heard of started doing the same thing about ten years later, in a much higher profile way.  Github has one, Google and Facebook have them, some banks have them… I could go on and on, but there’s little point.  There are even companies that specialize in running bug bounty programs, in effect administration, bounty payment and legal hassles.

Here’s the thing: They’re pointless.

Bug bounty programs are a feel-good way for wannabe white hats to find vulns and make a little pocket money on the side, with reduced risk of being sued or arrested.  There are, of course, always exceptions to this rule because you can’t trust anybody or anything out to turn a profit.  Typically, bug bounty reports require that an NDA be signed when submitting proof, which can mean that the hacker is forbidden from publishing their work on their own, and sometimes even talking about it.  If you’re looking to build your rep and maybe pad your resume a little, unless you get the go-ahead after publication you wasted your time.  There is also only the say-so of the company running the program that any bugs found will actually be fixed which, if the internet of shit community is any indication, more than a wish and less than a fart.  Even governments and militaries have gotten into the cash-for-vulns business.

It is common for bug bounty programs to declare anything really interesting or sensitive off limits.  Of course, this means that anything with a security classification, personnel records, schedules, medical records… things they actually need to worry about protecting don’t get probed by anyone who doesn’t have a vested interest in taking them for all they’ve got and staying out of sight.  While there is some value in probing only public facing services, as we learned from Gary McKinnon it’s off the reservation where the really interesting things are hiding.  As if that wasn’t enough, a lot of bug bounties pay a pittance at best.  For the longest time Yahoo (for example) would pay at most $12.50us for a vulnerability found anywhere in their infrastructure, and that was after people got fed up with their crappy t-shirts that only lasted two washes.

Of course, if you just want to earn some decent money for your work – fame being one of the enemies of the hacker at large, of course – you can sell weaponized 0-days on the black market for several tens of thousands of dollars if you don’t want to go into business for yourself building and running botnets or extortion rackets.  Governments are sometimes, depending on the severity and overall utility of the vuln willing to pay in the low hundreds of thousands of dollars for 0-days that can be used offensively.  It is rumored that the United States government paid $100,000us for a working copy of the infamous MS08-067 vulnerability almost a year before Microsoft found out about it.  I haven’t been able to confirm this (mostly because the person who originally found it politely turned down the job I offered him.)  Apple’s iOS, which is widely touted as the most secure mobile OS definitely has at least one true 0-day in each release (otherwise there wouldn’t be any such thing as jailbreaking), but why in the world would you sell your work to Apple when you could sell it to a vulnerability reseller and make well over a million dollars for a couple of days of dicking around?

A couple of hundred bucks at most compared to more significant digits than most people will ever see in their whole lives.  The math’s not hard.

Renketsu Link is one of the senior otaku of the Tanpa Supai Kai, an industrial espionage contractor headquartered in Hokkaido, Nihon. Beginning as a lowly copy protection cracker, Link swiftly rose to the position of chief network infiltration specialist with a concentration on data exfiltration. Link has pioneered multiple strategies and techniques for making CISOs commit seppuku and BOFHs go on shooting rampages in the NOC before swallowing thermite grenades.