The H-Security: Business appears to be booming for those who trade in unpatched (zero-day) security holes: according to a report by Forbes magazine, a US company that works for the US government recently paid $250,000 for a vulnerability in Apple’s iOS operating system.
The report says that the deal was arranged by a hacker who goes by the name of “the Grugq” and who has brokered agreements between those who discover vulnerabilities and government agencies over the last year. If negotiations are successful, the hacker retains a 15 per cent commission; he’s reportedly on track to earn about a million US dollars this year with his brokerage business.
iOS vulnerabilities are at the top of the price list that Forbes has compiled following its own research. According to the list, holes in Chrome and Internet Explorer are worth up to $200,000, while vulnerabilities in Firefox and Safari sell for up to $150,000 and holes in Windows for up to $120,000. Next in line are Microsoft Word, the Flash Player and Java plugins, Android and Mac OS X. Zero-day holes in Adobe Reader are said to be worth only $5,000 to $30,000.
Compared to these figures, the bug bounties offered by software companies appear to be more of a symbolic gesture: Google pays a meagre $3,133.70 for a critical hole in Chrome as part of its Chromium Security Vulnerability Rewards programme; a sum that’s a long way from the maximum of $200,000 paid by clients of the Grugq.
The fact that these holes are often not reported directly to the developers of the software because of the extreme difference in returns doesn’t pose a problem for the Grugq: “If they [the software companies] want their bugs fixed, they can buy them at market rates – like everyone else.” These large sums are likely to present an ethical dilemma for a many security researchers.