Let’s inspect the frequently visited argument that black markets pay more than bug bounty, thus somehow making bug bounties irrelevant.
You have a whole bunch of cough medicine.
Walgreens says: “I want to buy your cough medicine and sell it. I’ll pay $8 a box. We resell it at corner stores for $10 box.”
Black Market says: “I want to buy your cough medicine and sell it. I’ll pay $16 a box. We’ll have a significant profit. We won’t say who or how it’ll be used. Don’t tell anyone we bought from you. No more questions!“
Sure… you could sell to the latter, but there are significant burdens you must pay the seller for, unrelated to their discovery efforts. A black market needs to compensate for these burdens. Example: If the buyer could end up cooking bulk meth and ratting you out after they’re caught, the seller will need to be compensated for that possible risk.
Otherwise if the tradeoff isn’t right, you’d just sell to Walgreens.
Let’s continue this analogy with some security scenarios.
You have a security vulnerability.
Bug Bounty program says: “I want to fix vulnerabilities. We reward $5000 for big bugs, $500 for small. We can’t profit off of a vuln, and we have a lot of others to fix, so we plan on making our bounty budget go a long way.”
Black Market says “I weaponize vulns into exploits and use them. I won’t tell you who will be exploited. Make sure this vuln is exclusive to us and the transaction is confidential. I’ll offer you plenty at $100k because maybe I’m either profiting in criminal sized proportions or funded by a defense budget. Also, your name could be associated with my attack: Law enforcement or intelligence agencies may become interested in you as an accomplice.”
The “black market” route accumulates risk that must be managed:
- You must maintain an ops-sec overhead to manage that risk.
- You must maintain secrecy to maintain the value of what is sold.
- You must share unknown risk with the buyer.
How a Russian hacker made $45,000 selling a 0-day Flash exploit to Hacking Team
View more stories If you're a Moscow-based zero-day exploit seller, all you have to do is e-mail a spyware company like…
This explains, partially, why you’re paid more. Because, an ops-sec life sucks, and because you’re profiting off of this gamble. These precautions are needed whether you think a healthy criminal market for bugs exists somewhere, or only the known markets for bugs sold to intelligence agencies or law enforcements. Handcuffs, surveillance, or the risk of a leak all becomes plausible in most non-disclosure market situations that involve eventual exploitation.
It also makes arguments that companies should meet black market pricing sort of ridiculous. The company won’t profit wildly off of the exploitation of their own vulnerability. They also have to consider the entire universe of their bugs, whereas an adversary just need to spread a budget across a small set.
The buyer may also have illicit funding, or defense budget sized funding, the latter of which may annually exceed the entire total capital available of most companies running a program. Totally unreasonable to expect a competitive reward between these worlds.
After a black market has purchased this vulnerability: The bug bounty program is still in the market. Another hacker may approach a bug bounty and disclose the same vulnerability and eliminate much of the value of the black market transaction.
This is why it is so important to have a thriving, healthy, community around bug bounty. The vulnerability weapons cache is not safe from remote depletion. Research depletes weapons caches we may not even know about.
We may not have evidence of the absence of some types of vulnerability markets, but we can diminish their possible existence anyway.
Criminal Market Lies
There is an common, underlying assumption that large, healthy, criminal-use markets for zero day exploits exist at all, or are even necessary. Any practical incident response experience says that most observable criminals who would monetize an attack campaign are successful without zero days.
It’s not to say vulnerabilities have not ever been bought and sold by / to criminals — but this behavior is far from being a widely accessible market in its strictest sense.
A criminal attack campaign is easily able to accomplish a goal with stolen credentials, older drive by exploits, or simple misconfigurations in a target. The criminal need for a zero day is nearly eliminated with these opportunities being so widely available, also increasing their overall profit by not needing to purchase one.
Some interesting anecdotes related to this:
People here seem to have a strongly misplaced expectations about what bug bounti... | Hacker News
Serve sleazy advertising? Ok, possible, but ad's are a crappy business to be in and its definitely a high volume/long…
No, it is not worth "millions or billions". It is worth whatever anyone is willi... | Hacker News
There are no legal entities that would buy the bug, the USG can access any data w/ a warrant (thats free) vs. "millions…
This leaves a remaining market for law enforcement, intelligence, or security institutions. These are known, somewhat observable markets with analogous ops-sec overhead and similarly poor insight as to eventual exploitation or distribution. There are analogous costs to the vuln finder as a criminal market, should one exist, though they might not be as deep.
The Wolves of Vuln Street - The First System Dynamics Model of the 0day Market - HackerOne
Katie Moussouris has been working with economics and policy researchers from MIT and Harvard to study the economic…
This goes into a more specific modeling of the economic effects of bug bounties against an exploit marketplace.
Hopefully this will be useful dispelling a common, weak argument against bug bounties. Black markets are certainly something to consider in the overall picture of security, but they hardly make a modern security program irrelevant and only provide more reasons to encourage hacking.
This is an update on “Illustrating the Exploit Market” on Quora from 2013, an earlier take on the topic.
I’m a security guy, former Facebook, Coinbase, and currently an advisor and consultant for a handful of startups including HackerOne. Incident Response and security team building is generally my thing, but I’m mostly all over the place.