Prices for Zero-Days Double and Triple in One Year
How much is a zero-day exploit worth? Much more than it used to be.
Security vulnerabilities have been sold and resold for decades. But the game changed in 2015, when a startup named Zerodium announced its new “premium acquisition program” for zero-days.
The company was offering anywhere from $5,000 to $500,000 for “high-risk vulnerabilities with fully functional exploits” of web servers, email servers, web applications, operating systems, and more.
After the purchases, what would Zerodium do with these exploits? It would distribute them to its clients — and only to its clients. (According to a report in Wired, a subscription to Zerodium’s Security Research Feed costs at least $500,000.)
Zerodium’s offer had several stipulations. The company would buy only “original and previously unreported zero-day exploits.” The seller was forbidden to notify the vendor of the targeted system. Only Zerodium’s clients were allowed to know of the vulnerabilities.
Understandably, this caused an uproar within the security community.
This isn’t the first time that Zerodium CEO Chaouki Bekrar had outraged security researchers. His previous startup Vupen (a combination of “vulnerability” and “penetration”) had a similar business model to Zerodium. At Vupen, Bekrar became known for publicly taunting vendors of vulnerable products, in some cases publishing videos of himself exploiting the products while refusing to disclose the vulnerabilities he was using. One Google staffer called him an “ethically challenged opportunist,” while privacy activist Chris Soghoian called his company a “modern-day merchant of death,” selling “the bullets for cyberwar.”
Now his latest venture has taken things even further. Zerodium’s price transparency and other publicity efforts have gained lots of visibility for the company, and it seems to be flourishing.
So who buys these exploits? Zerodium’s website implies that many of its customers are corporations who wish to protect themselves from the vulnerabilities, but this seems very unlikely.
Obviously, the most likely buyers are those interested in exploiting the vulnerabilities themselves. Indeed, a 2013 request under the Freedom of Information Act revealed that the NSA (National Security Agency) was a customer of Vupen. Presumably, the NSA is a buyer of Zerodium’s offerings as well.
For those who want the Web to be a safe place, the rise of Zerodium and similar companies is not good news. Previously, the primary market for zero-days were bug bounties offered by the vendors themselves. This ensured that these vulnerabilities would be fixed immediately after discovery.
But Zerodium threatens to overturn this. All vulnerabilities sold to Zerodium remain secret. They cannot be patched by the vendor until they are re-discovered by someone else. Meanwhile, the exploits are free to be used, by whoever bought them.
And the company is quite deliberate in its efforts to ensure that this occurs. As its FAQ explains, “The majority of existing vulnerability acquisition programs… pay researchers very low rewards. At ZERODIUM we pay much higher rewards.”
Many in the security community find this business model revolting, and were hoping Zerodium would fail. Instead, the company seems to be flourishing.
At the end of 2015, Zerodium was offering a range of prices: a low of $5,000 (for exploits of Joomla, WordPress, etc.) to a high of $500,000 (for a remote jailbreak of Apple iOS).
In just one year, prices have skyrocketed. Offers for the least valuable exploits have doubled, while the most valuable exploits have tripled, now going for an eye-popping $1,500,000.
Zerodium’s profit margins are not public, of course. But it’s safe to say that it couldn’t be paying these prices unless it had lots of customers willing to buy them from Zerodium for even higher fees.
And that’s terrible news for the Web overall. Every time a sale is made to Zerodium, that’s one more exploitable vulnerability that stays secret and unpatched.
And that’s one more way in which the Web becomes a more dangerous environment.
Photo credit: Maklay62
