The market for vulnerabilities has grown rapidly the last five years. While the market is certainly not new, going back well over ten years, more organizations are interested in acquiring 0-day / private vulnerabilities for a variety of needs. These vulnerabilities cover the gambit in applications and impacts, and range from the tens of dollars to $100,000 or more. While such transactions are sometimes public, high-end vulnerabilities that sell for large sums generally are not a matter of public record. That makes it difficult to track actual sale prices to gauge the value of such vulnerabilities.
In the vulnerability market place, the seller has the power. If they hold a 0-day vulnerability that is in demand, they can set their own price. For the few vulnerability brokers out there, the perception of vulnerability value is critical for their business. In March, 2013, a Forbes piece by Andy Greenberg covered this topic and told of the sale of an iOS vulnerability that allegedly sold for $250,000.
Even with the $250,000 payout [the Grugq] elicited for that deal, he wonders if he could have gotten more. “I think I lowballed it,” he wrote to me at one point in the dealmaking process. “The client was too happy.”
As expected, there is no validation of the claim of the sale. The price tag comes from the vulnerability broker who has an interest in making such prices public, even if they are exaggerated. Jump to July, 2013, and a New York Times article by Nicole Perlroth and David Sanger makes a vague reference to an iOS vulnerability that sold for $500,000.
Apple still has no such program, but its vulnerabilities are some of the most coveted. In one case, a zero-day exploit in Apple’s iOS operating system sold for $500,000, according to two people briefed on the sale.
Given the vague details, it is fairly safe to assume that it references the iOS vulnerability sale from a year earlier. The NY Times article sources many people regarding vulnerability value, including thegrugq on the first page. This means the vague reference to the “two people briefed on the sale” were likely people briefed by thegrugq as well. Ultimately, this means that both articles and both figures, all source to the same person who has a decided interest in publishing high numbers. Without any detail, the journalists could have contacted one or both sources via email, meaning they could have just as well been thegrugq himself.
I find it interesting that in the span of 1 year and 4 months, the price of that iOS vulnerability jumped from $250,000 to $500,000. More to the point, the original $250,000 price is way out of the league of the prices of vulnerabilities at that time, on any market. Some of us were speculating that a (truly) remote vulnerability in a default Windows installation would go for around $100,000, maybe more. Even if you double our suspected price, it wouldn’t surprise me that a nation-state with a budget would purchase for that amount. But an iOS vulnerability, even remote without user interaction, a year ago? That doesn’t make sense given the user-base and distribution.
Even more interesting, consider that 4 days after the NYTimes article, another outlet was reporting the original $250,000 price.
As I mentioned before, none of this is close to being verified. The only source on record, is someone who directly benefits from the perception that the price of that vulnerability is exceedingly high. Creating the market place value of vulnerabilities through main-stream media is brilliant on his part, if what I suspect is true. Of course, it also speaks to the state of journalism that seemingly no one tried to verify this beyond word-of-mouth.
In 2002, iDefense started their Vulnerability Contributor Program. The VCP was created to solicit vulnerability information from the security community and pay researchers for the information. Paying up to US$15,000 for a vulnerability or exploit, iDefense proved there was a significant market for such information after years of debate. The VCP also served as a stark reminder that researchers do not have an obligation to report vulnerabilities to vendors, that doing so is a courtesy.
The VCP pays for “actionable research”, meaning exploits in prominent software (e.g., Microsoft, Oracle) and infrastructure devices (e.g., Cisco). With the information in hand, iDefense in turn leverages researcher’s time by notifying their customers as an early warning system while handling the responsible disclosure of the information to the vendor. This activity can save a world of time for researchers who are long since tired of the headache that often comes with disclosure.
The list of vulnerabilities disclosed by iDefense is impressive. They attribute the large number of advisories to “250 security researchers worldwide”.
In the past few months, an OSF employee (Nepen) has begun to add creditee information for many vulnerabilities in prominent software. This has resulted in creditee information being added for all of the iDefense vulnerabilities. Using OSVDB, we can now look at their advisories in a new light.
iDefense employees have released 131 advisories, credited to 11 unique researchers and “iDefense Labs”. The VCP program has released 479 advisories, credited to 78 unique researchers and “anonymous”. If we assume the 250 researcher number is an estimate and includes both iDefense and VCP, then 89 researchers are distinct and public. That means the “anonymous” submissions make up approximately 161 unique people and cover 326 advisories out of the 479 released.
Using OSVDB’s new creditee system, we can see a neat timeline of the advisories as related to both iDefense and their VCP:
iDefense VCP (79 researchers, 479 advisories): http://osvdb.org/affiliations/1139-idefense-labs-vcp
iDefense Labs (12 researchers, 131 advisories): http://osvdb.org/affiliations/1091-idefense-labs
This is one of many neat ways to use the enhanced creditee system. Over time, as more information is added to the database, we can begin to look at other researchers and organizations.
Adam Penenberg wrote an article titled “The Black Market Code Industry” for FastCompany in which he details his research of two HP employees that actively sold exploit code in their spare time, at least one selling exploits in HP’s own software. According to the article, HP knew about one of the employees at the time of the article and were investigating. While a neat article and fun read, it left me with a lot more questions that I hope get answered at some point (how about a ‘Part 2’ Adam?).
- Does Rigano still work for HP now that the article has been out a week?
- Did either individual have access to source code to make their exploit writing easier? If so, did they have access to edit source code in any capacity (e.g. backdoors, adding vulnerable code)?
- Did Rigano actually sell his exploits? If so, to who and for how much? Checking the Full-Disclosure list archives, he appears to have had exploits for IIS 6.0, Firefox 2.x, MSIE 7, SAP, Apache, Microsoft Office and more.
- If Rigano did sell vulnerabilities, did he vette his buyers or could he have sold them to ‘enemy’ nations or hostile countries (relative I know)?
- Why is the FBI investigating a France based employee of HP?
- Is t0t0 a current employee of HP? If not, did he leave for his exploit selling activities? The article suggests that HP is aware of one of the two sellers. What do they have to say about this article now?
On January 17, 2007, SnoSoft / Netragard LLC announced a new Exploit Acquisition Program designed to compete with iDefense, TippingPoint and others. Nothing special or different other than the suggestion that they would pay more for high end vulnerabilities. A little over a year later, and they announced they were shutting down the Exploit Acquisition Program. From their post:
We regret to say that its true, we’ve shut down the Exploit Acquisition Program. The reason for the shutdown was that it was taking our buyers too long to complete a single transaction and it wasn’t fair to the researchers. While we’d expect a single transaction to take no more than a month, the average transaction time for our buyer was 4 months. The last transaction that we attempted took 7 months at which point the issues were silently patched and the transaction was dead. As it stands right now, we can’t justify asking anyone to wait that long to move a single item. So until the end players learn how to move faster, the high price bug brokering market just isn’t viable.
No offense to SnoSoft / Netragard, but their competitors have proven that the market is viable. I guess the trick is how you ‘sell’ the information. For iDefense it is early warning for their customers in case the same vulnerability is being exploited by others. For TippingPoint it is early warning and IPS signatures. For WabiSabiLabi it is more like the SnoSoft program, where one buyer gets exclusive rights to the information, and it appears to be working to some degree.
Another interesting article regarding the value of 0-day vulnerabilities. Rob Lemos relates the stories of a few researchers who sold their 0-day vulnerability/exploit information for big dollars. The twist here, which is news to some, is who purchased it (the .gov) and for how much (as high as 80k). This is significantly more than vulnerability purchase shops iDefense and ZDI (3COM/Tipping Point) currently offer. The only catch? The big spenders aren’t advertising so you have to have contacts to make such a sale. The scary part? We all know how cheap the U.S. government can be.. so how much are other governments paying?
Since the debate about pay-for-disclosure started, some folks have wondered what vulnerabilities are worth. We’ve seen companies like Verisign/iDefense and Tipping Point/ZDI offer serious money for vulnerabilities in the past. Adding to the mix, matousec.com has published a purchase page with prices of some of their vulnerability research information:
* Full analysis of reviewed personal firewalls
Visit Windows Personal Firewall analysis methodology page to get information about what the full analysis is. The full analysis is preferentially offered to the product vendor. If the vendor buys the analysis it is given 30 days protection for all private information included in this analysis.
o ZoneAlarm Pro 6.1.744.001 analysis – 1,500 ($ 1,950)
o Kerio Personal Firewall 4.3.246 analysis – 500 ($ 650)
o Norton Personal Firewall 2006 version 22.214.171.124 analysis – 1,500 ($ 1,950)
o BlackICE PC Protection 3.6.cpj analysis – 1,500 ($ 1,950)
* Single bugs of reviewed personal firewalls
Visit Windows Personal Firewall analysis methodology page to get information about what the single bug is.
o ZoneAlarm Pro 6.1.744.001 bugs – visit ZoneAlarm Pro 6.1.744.001 – Review
o Kerio Personal Firewall 4.3.246 bugs – visit Kerio Personal Firewall 4.3.246 – Review
o Norton Personal Firewall 2006 version 126.96.36.199 bugs – visit Norton Personal Firewall 2006 version 188.8.131.52 – Review
o BlackICE PC Protection 3.6.cpj bugs – visit BlackICE PC Protection 3.6.cpj – Review
Bugs and Money
Jennifer Granick has a good article up on Wired titled “Bug Bounties Exterminate Holes,” which talks about some of the issues raised in a panel discussion at CanSec last week. She makes some good points about commercialization of vulnerability research–pros and cons, risks and rewards, etc.
It’s well worth reading the whole article, but one small bit caught my eye…
I have advised two businesses that had plans to auction vulnerabilities to the highest bidder on eBay. (After talking with me, each decided not to take the risk.)
This is pretty disappointing. I would love an environment where software vendors are forced to pony-up cash to researchers if they want bug details, and are forced into a competitive market against “value-add” services (iDefense, ZDI, etc.), and even criminals. Some may see this as a form of blackmail, but I think it will shed some much-needed light on how vendors feel about security, and how much money they are really willing to spend to keep their customers safe. Already we see a non-profit organization (Mozilla) willing to pay $500 for the information, and multi-billion dollar companies unwilling to pay anything.
I realize there are many legal and ethical problems with auctioning vulnerabilities that need to be wrestled with (including problems with eBay), but would it really be worse than it is right now?
Back on December 8th, 2005, I posted a comment about someone who created an eBay entry for a “Brand new Microsoft Excel Vulnerability”. The vulnerability was never sold via eBay, but may have traded hands through other means. For the most part, this incident faded into the background but I think this was the proverbial pebble thrown into the pond. Jump forward to yesterday, and Microsoft released an advisory covering multiple vulnerabilities in Excel. While chatting with one of the OSVDB manglers, I began to think out loud about why we would see so many Excel vulnerabilities released at once, and I think it became clear.
Remote Code Execution Using a Malformed Range – CVE-2005-4131
Remote Code Execution Using a Malformed File Format – CVE-2006-0028
Remote Code Execution Using a Malformed Description – CVE-2006-0029
Remote Code Execution Using a Malformed Graphic – CVE-2006-0030
Remote Code Execution Using a Malformed Record – CVE-2006-0031
Remote Code Execution Using a Malformed Routing Slip – CVE-2006-0009
Looking back at the original eBay entry, the poster said “all the details were submitted to Microsoft, and the reply was received indicating that they may start working on it. It can be assumed that no patch addressing this vulnerability will be available within the next few months.” The technical details released at the time stated “Microsoft Excel does not perform sufficient data validation when parsing document files. As a result, it is possible to pass a large counter value to msvcrt.memmove() function which causes critical memory regions to be overwritten, including the stack space.”
Note the CVE assignments for each of the vulnerabilities listed above. CVE-2005-4131 covers the eBay Excel 0-day. Shortly after that, we see CVE-2006-00xx assigned for five more Excel vulnerabilities and it is pretty clear what happened. Ollie Whitehouse, Peter Winter-Smith, Dejun, Eyas and Arnaud Dovi (via TP) all probably tried to find more details on the posted 0-day. In doing so, they discovered additional vulnerabilities in Excel and thankfully (for Microsoft) followed a responsible disclosure policy. This turned out to be an interesting byproduct of an amusing eBay listing.
There has been a steady stream of papers and research examining the market for vulnerabilities. Countless people have blogged on it in passing and more people are starting to take interest in it for many reasons. Here are a couple papers (courtesy of Danchev’s blog) that cover the issue. When I find time, I hope to dig up links to others I have seen mentioned, as well as dig into the footnotes of these.
Vulnerability Markets: What is the economic value of a zero-day exploit?
Rainer Bohme – Dec 27, 2005
Market for Software Vulnerabilities? Think Again
Karthik Kanna, Rahul Telang – Dec 12, 2004
An Economic Analysis of Market for Software Vulnerabilities
Karthik Kanna, Rahul Telang – May 3, 2004
Jason Bergen posted to Full-Disclosure trying to sell a “Security Vulnerability Database Company“. From that mail:
The company maintains a database of all security vulnerabilities, and the database is updated on a daily basis. The company maybe of interest to organisations who are currently licensing a vulnerability database. In addition the company has developed some software applications built upon the vulnerability database.
This is interesting on many levels, especially the approach in selling it. Why post to that mail list and not others? When asked for more details, Mr Bergen tells you “In order to provide further information a signed NDA would be required.” You must sign a non-disclosure agreement just to find out the name of the company being sold. He also makes the following claim:
The database contains all vulnerabilities since 1988. Each entry has Bugtraq, CVE, and Nessus ids. It has developed its own vulnerability alerting system, but recently changed focus to providing OEM database licensing.
Sadly, he is not the first to make this claim. Throughout the years, many people have referred to CVE as having “all vulnerabilities since 1988” which simply is not the case. If you ask Steve Christey or anyone involved with CVE, they will be the first to tell you that isn’t the case. So why do people think that? CERT started releasing advisories in 1988, but only released them for serious/critical vulnerabilities. Between 1988 and 1999 (CVE inception), many vulnerabilities were never added or given a formal advisory for. In short, claims that their database has “all vulnerabilities since 1988” is extremely suspect. Had it been any year other than 1988, perhaps they took the time to go back and add them making the claim true. His wording also begs the question, what if a vulnerability doesn’t have a BID, CVE or Nessus ID to match? As much as databases try to maintain a perfect cross reference mapping, it just doesn’t happen all the time.