
Zero-day Exploit Price List - mef
http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/
======
DanielBMarkham
This is a great idea. Directly and publicly monetize security bugs. This is
technical debt in terms of real, hard, cold cash.

As a community it makes sense to embrace this. As vendors (and especially
people who develop apps for walled gardens) start seeing real-world feedback
on platform security, we can all make more informed choices. It also
incentivizes the hell out of companies to make their stuff more secure.
Terrific concept. This shouldn't be some kind of dark grey-market site. It
should be on a web location as visible as E-bay. (owned by somebody with no
skin in the game)

For those of you arguing that such information can and does kill people, I
feel your pain. But you can't hide knowledge. There will be a market whether
or not there's a Forbes article about it. The only difference is whether you
know about these vulnerabilities or you don't. A big, public market lets
everybody see how crappy the things we use are. A secret, government-
controlled market keeps all of that critical information away from the very
people who need it. If the Syrian government is using security exploits to
kill dissidents, all the more reason to let the sun shine in.

~~~
joeguilmette
Just as important as the 0days themselves is keeping public who bought them.
0days, in many cases, are weapons. By keeping this market and it's
transactions in the open perhaps we can keep the purchasing parties a little
less evil, or at least drive up their costs.

This market, to me, looks very similar to the weapons industry. The more open
it is the better for everybody. The other commenters are correct, this market
isn't going anywhere. We may as well shed light on it.

~~~
rdtsc
> Just as important as the 0days themselves is keeping public who bought them.

That sounds ridiculous, I think. As soon as that is made public, there will
instantly appear another market where that info is not made public, and most
buyers will switch to that new market, sellers will follow as well.

------
iuguy
Disclaimer: I know people referenced in this article.

Whatever your views on the morality or ethics surrounding this market, the
fact is that it exists and isn't going away. In fact it has existed for a long
time (I certainly remember exploits being traded, bought and sold in the early
2000s and 90s) but the thing that's new-ish is the presence of numbers in the
public eye.

Charlie Miller's paper on the 0day market[1] provides an example of what
happens when someone has a lack of market information (they lowball and sell
the bug for less than it's worth) in this space, and might be of interest to
people who enjoyed this article.

[1] - <http://securityevaluators.com/files/papers/0daymarket.pdf>

~~~
underwater
You're right, but saying "someone else would do it if I didn't" is a pretty
weak rationalization. They're making themselves rich at the expense of
everyone else. They're a leech on society.

~~~
iuguy
> They're making themselves rich at the expense of everyone else. They're a
> leech on society.

No they're not, on both counts. They're not making themselves rich at the
expense of everyone else. Their major customers are governments, who are in no
rush to make their own purchasing patterns illegal. They're taking part in an
active established market. Immunity have been doing this publicly for over a
decade, with the difference being that anyone can buy Canvas.

The simple solution (which works in favour of the exploit dealers too btw) is
to use a layered approach to defences that make it more expensive to develop
an exploit. That's what Microsoft have been doing since Vista. There are now
so many hurdles you have to jump through for a server-side remote code
execution bug that for most people it's just not worth it (given that you'll
have to chain exploits more often than not to bypass protective measures),
which is partly why client side bugs are becoming more common.

~~~
tptacek
Eh. Two much more important factors militating for clientside exploits:

* The client-side attack surface is, probably by many orders of magnitude in any metric you care to use, more complex than the serverside attack surface. Look at the kinds of libraries that have been long-term thorns in the sides of developers and security teams --- image codecs, font libraries, compression --- a big chunk of everything that goes on your computer screen can be influenced by attackers.

* The client-side attack surface includes multiple programming languages hooked up to anonymous content (the most important being Javascript), and so clientside exploits have significantly better tools to work with.

Not to take anything away from your point; I'm glad you're injecting some
sanity onto these threads.

~~~
iuguy
You're absolutely right on both counts, and thanks for the comment.

~~~
uid501
On a related note re: client vs. server. Taking a recent incident that was in
the news, when the Brits pwned a pro AQ forum. From that vantage point, the
best thing they can do is to target the admins, moderators and heavy users --
with client sides. Probably more than one, since it is unlikely that a single
exploit would be effective against each of the targets. The valuable intel is
going to come off those user's boxes, not off some semi-anonymous VPS shard.
Logs of Tor exit nodes, googlebot, and proxies reveal nothing interesting.
From a certain perspective, it makes sense that there just isn't much value to
be had from servers, and so there's reduced incentive to pay high prices for
server exploits.

Not to mention that gaining access to that server would probably be fairly
simple given the atrocious security standards of most web hosting companies.
CPanel, pilfered ssh key, SQLi, PHP bugs in the forum software, rent a VPS on
the same host and LPE... I hardly need to tell _you_ how many alternative
(cheap) ways exist to gain access to the server. (And this is assuming that
they aren't running their own colo's and web hosts a la
[http://www.schneier.com/blog/archives/2008/10/clever_counter...](http://www.schneier.com/blog/archives/2008/10/clever_countert.html))

Given the relative ease of access to servers, the poor quality of intel stored
on them, and its no wonder that the market focus is on client sides. Finally,
its worth mentioning that most (all?) of the servers with interesting data on
them are in the legal jurisdiction of the US (just ask Kimble, ha!). Accessing
that data requires a sternly worded letter on official letterhead-- not an
exploit.

So, not to detract from either of your' points; but there is another angle to
add to the mix.

~~~
greedo
Well, client-side attacks are great because they typically rely on the naivete
or indifference of the user. And the client-side attack surface is typically
protected to a lesser degree than a server. A well orchestrated spearfishing
attack is tough to defend against, even for a security conscious user. The
attack surface is just so large.

However, the meat on the bones is really on the servers. If someone pops my
desktop at work, they won't find much valuable data. But they will be able to
keylog me, grab admin password hashes, arp-spoof etc. Still, no data. But what
they will get enables them to access our company files and databases in short
order.

In essence, client-side attacks in the corporate world are definitely targeted
at server data, while in the consumer world, they're targeted towards identity
theft or botnet creation.

~~~
uid501
This is the gov world though, where the interesting information is things like
your address book _, your emails (the content as well as the
senders/recipients), your private keys and passwords, etc. etc. Client sides
provide direct access to those things (or at least, a means of obtaining
them).

There are very few governments that care about what is on your company file
server or in your company databases. (Ignoring the elephant in the room on
that one.)

_ Law enforcement agencies keep huge Access databases of the contacts they
extract from cell phones taken from criminals. They share this intel with each
other via email (I know, I know...). They can discover a great deal about who
is involved in an activity and where they are on the totem pole from just this
data. Its even possible to identify people by correlating the content of the
"name" field and using the phone number is a unique ID. Criminals tend to have
poor OPSEC.

~~~
greedo
I don't think it's safe to assume that government simply means spying on
individuals for national security reasons. Governments engage in corporate
espionage all the time, and not just China.

------
tptacek
In reality, exploit sellers and exploit buyers are engaged in discovering the
value of security exploits. That the value of those exploits might be pinned
to unethical, immoral, unlawful, or belligerent conduct is irrelevant; markets
have to operate in the real world, and we cannot stipulate that the bad actors
absent themselves from the real world.

So while I personally find the sale of exploits distasteful†, I think Soghoian
is in the weeds with this argument about exploit developers being "modern
merchants of death". Exploits are nothing like conventional munitions. They're
extremely scarce and their extraction from software imposes no intrinsic costs
on the rest of the world.

In other words: vendors can simply outbid intelligence agencies for their
bugs, or, better yet, invest more heavily in countermeasures to moot those
bugs. Unlike guns, which can be manufactured so cheaply and at such a scale
that no one organization could hope to stem the tide with markets, vendors can
stop immoral abuses of their own software simply by participating more
actively in the market.

$200,000 sounds like a lot of money, but it's under the cost of one senior
headcount at a major software vendor, and vendor cash flows are expressed in
high multiples of their total headcount cost. The higher the prices go, the
more incented vendors are to stop vulnerabilities at the source.

Even today, the whole technology industry is captivated by the misconception
that vulnerabilities somehow cost some fraction --- maybe 1/3, maybe 1/4 ---
of a senior full-time dev salary. After all, they're generated by people who
would otherwise be occupying that kind of headcount. And for the most part,
that misconception has been bankable, because the best exploit developers
almost as a rule suck at marketing themselves.

Every other price in the application security field follows from this
misconception, from headcounts and org charts at vendors to assessment budgets
to shipping schedules for products to the salaries of full-time application
security people.

It's all built on a misconception; that misconception creates a market
inefficiency; people like (allegedly) The Gruguqhquq are arbitraging on that
inefficiency. But the solution to a market inefficiency is to eliminate it,
not, as Soghoian implies, to install umpires around it and erect bleachers and
a jumbotron so we can watch it more carefully.

I see this story as evidence of chickens coming home to roost, not as some
dangerous new ethical lapse on the part of the security industry.

† _This is an easy moral stance for me to take because I don't invest any
serious time into developing exploits for the targets on this price list._

~~~
soup10
I disagree, the more demand there is for exploits, the more exploits there
will be. If there is enough demand for them, we will even start to see
employees on the inside of these companies purposely creating them.

Companies do not directly lose money if their products are exploited. How many
thousands of exploits have been developed for windows? They're still doing
just fine.

Software is buggy and exploitable by it's very nature. The cost to secure a
large software project is orders of magnitude higher than the cost to find a
flaw and exploit it.

By participating in an open market for exploits and greatly raising demand for
them, the government is making us all less secure. "This is why we can't have
nice things".

~~~
tptacek
Exploits do not come out of nowhere. They can't be scaled with demand.

The fundamental moral problem with the market isn't the value being imputed to
exploits; it's the _lack of value_ imputed to resilient software.

~~~
soup10
> Exploits do not come out of nowhere. They can't be scaled with demand.

Why not? All large software projects have flaws. Doesn't more demand for
exploits mean more people are going to look for and find them?

> The fundamental moral problem with the market isn't the value being imputed
> to exploits; it's the lack of value imputed to resilient software.

I think it's both. People shouldn't be selling exploits to entities that will
use them offensively. And vendors largely don't care about security as much as
they should.

~~~
tptacek
More demand does cause more people to look for exploits. But since there's a
finite number of vulnerabilities to be extracted from code, I'm not sure how
that's relevant.

------
lukeschlather
>One of the most vocal of those critics is Chris Soghoian, a privacy activist
with the Open Society Foundations, who has described the firms and individuals
who sell software exploits as “the modern-day merchants of death” selling “the
bullets of cyberwar.”

Are there any documented cases of malware killing someone? All this
cyberwarfare stuff seems a little overblown.

~~~
achille
The chief Iranian computer scientist in charge of managing Stuxnet was killed
by a magnet car bomb attached by a motorcyclist.

[http://www.usatoday.com/news/world/story/2012-01-11/iran-
nuc...](http://www.usatoday.com/news/world/story/2012-01-11/iran-nuclear-
expert/52494192/1)

No exploit > No Stuxnet > No Death

~~~
lukeschlather
That still sounds like someone using a conventional weapon to kill someone,
it's a pretty big stretch to compare malware to a bullet.

~~~
jackowayed
Intelligence is a major part of warfare. It's a lot easier to assassinate
people if you have good means of finding the people you want dead.

~~~
lukeschlather
Well, I have no problem with calling it cyberintelligence, or even
cyberespionage, but just because espionage is part of warfare doesn't make it
warfare.

------
evmar
One time I was working on a MapReduce that processed a lot of XML found on the
internet (I can't remember why anymore (edit: I remember now why I can't
remember, it was a friend's program that I was helping out on)) and I found it
crashing on some input. After some examination of my code I traced it to a bug
in libxml (which is also used by Chrome, Safari, and others). I simply
reported the bug to the appropriate parties and it got fixed. It's funny to
think that the author of that bogus xml file had gotten the syntax wrong
enough in a way that would've been worth thousands of dollars!

~~~
eddington
It's worth noting that not every bug is a security-critical bug. Similarly,
not every crash is a security-critical crash.

Sometimes you can exploit a bug to give you something, sometimes it's just a
plain old bug.

People only pay for the security-critical ones.

------
andreyf
I've always wondered this about vulnerabilities: how can one guarantee an
exclusive sale? And why doesn't someone who bought it just go ahead and re-
sell it to (multiple) others to make a profit?

~~~
uid501
As mentioned elsewhere, generally the payment is spread out over months,
contingent on the seller keeping their side of the bargain. And the second
query describes the business practices of many defense contractors who act as
de facto gatekeepers to government contracts.

~~~
greedo
This implies that "there can be only one." The idea that you could effectively
prove that a seller is keeping their side of the bargain also implies that no
one else would discover it.

~~~
uid501
It just means that the seller is incentivized to minimize the number of people
that know about the vulnerability. Which is effectively what "exclusivity"
actually means, at least in this case.

As an additional point, if either side becomes known as a bad actor in the
market, they will severely limit their ability to operate. There is some short
term incentive to be dishonest (more money now), but in the long term it
removes the ability to earn in the future. Like selling your fishing rod for
fish today, tomorrow you'll be hungry again, only now you can't fish. (To
butcher a cliche.)

[edit: grammar]

~~~
greedo
How would you prove that the seller didn't resell the exploit?

------
ninjin
Schneier has recently written an excellent analysis of the exploit market. He
also links to a ton of interesting related material.

<https://www.schneier.com/crypto-gram-1206.html#1>

------
gallerytungsten
Perhaps this is the explanation for how Flame and Stuxnet had so many zero day
exploits: the Feds crowdsourced them through the Grugq.

~~~
lawnchair_larry
It's an open secret that they both build them and buy them. Where the stuxnet
ones came from is uncertain, but it could have gone either way.

I've heard they'll actually pay for one they already have if they hear a
broker selling it. In this case, they are paying to keep it scarce (as these
deals come with exclusivity).

------
TimPC
Hopefully the result of this revealed information will encourage companies to
raise the prices they offer for reporting/fixing security critical updates.
It's a shame that the legitimate route pays 1/10th to 1/25th of the
alternative. Particularly since the illegitimate route is basically selling
coding services to a government agency in a lot of cases (albeit closer to
cracker than hacker), which some people do anyways as a part of their normal
coding jobs.

------
GoodIntentions
Brokering 0days - legal? yes. Risk free? I doubt it.

Grugq makes me think of Gerald Bull.

------
uptown
So is it a safe assumption that all porn sites are riddled with these types of
exploits? Excluding generating revenue from these types of exploits, I've
never understood how those sites could be sustained given the bandwidth
charges those sites must incur.

~~~
arkem
While porn sites might be riddled with malware it is unlikely that they'll be
zero days. More likely you'll see exploits for bugs that are publicly known
but not yet patched everywhere.

The value of a zero days is largely rooted in the fact that it hasn't been
disclosed publicly and any widespread use of a zero day threatens that value.
Zero days will be used when the risk of discovery is very low or the payoff is
very high and attacking random people who visit dodgy websites is unlikely to
meet those conditions.

------
nsomething
Perhaps the worst thing about this is that engineers at the browser makers are
now incentivized to create Zero-days. $250k and rising for knowingly creating
a backdoor? There's now a market for software engineer corruption. Maybe add
in some middlemen...

~~~
jaredmck
Wouldn't it be fairly easy to get caught doing this? Especially if you did it
multiple times, it seems obvious exploits in code you checked in would be
traced back to the malicious engineer.

------
leeoniya
"Google typically offers a maximum of $3,133.70"

i believe they recently paid out 2x $60,000 prizes.

~~~
rpsw
They did, but this was for prizes during Pwnium at CanSecWest , not everyday
amounts up for grabs.

~~~
arkem
True but the reward is now up to US$20,000 in some cases.

<http://www.google.com/about/company/rewardprogram.html>

~~~
daeken
I should also note that that's $20k for a _bug_ or series of bugs, not an
_exploit_. Considering the monumental effort required to write a stable,
viable exploit, getting 1/5 of the money (in theory) could well be worth it.

------
bryans
I know it was inevitable, but I find it rather disappointing that exploits
have become such big business. I felt like the hacker/cracker community
between the late-80s to mid-90s was just that: a community, which likely
developed naturally because of the scarcity of information at the time. Sure,
there were exploits being traded (and probably even sold occasionally), but I
never got the impression that anyone treated it like a business.

Admittedly, I'm probably just being sentimental about my childhood, but that's
how I remember it.

~~~
greedo
It has changed a lot in the last 20 years. Now organized crime as well as the
involvement of nation-states has made it far more lucrative, and conversely,
dangerous. Kingpin (kingpin.cc) does a good job of describing how much money
there is to be made, even when you're not a PhD.

------
rmk2
It's a pity the article only mentions client-side exploits, it would have been
interesting to see what is paid for server-side zero-days, especially
linux/LAMP related...

~~~
uid501
Consider the possibility that governments can create their own exploits. If
they have a large quantity of server side bugs the marginal utility of one
more is effectively 0. It is safe to assume that they have existing
capabilities in that area. Just mentioning a LAMP stack means SQLi as the most
likely vector. No point in paying for someone to run sqlmap for you... ;)

------
dlokshin
The article says that this practice is legal. If the sale is made, and then
the client uses it to do something illegal, is the hacker / Grugq free of
liability?

~~~
jameskilton
I would guess yes. The sale of firearms is legal, but if a buyer then goes and
kills someone with the gun, the seller of the gun is not liable. Not an exact
comparison but for legal comparisons I believe it's apt.

~~~
Achshar
But there are noble and perfectly legal ways to use a gun. But there are not
many for 0 days.

~~~
daeken
Jailbreaking, test cases for hardening your own systems (c.f. Metasploit),
opening appliances/devices to other analysis.

Three very common cases. Would quarter million dollar exploits be used for
these? Probably not, but it doesn't change the fact that there _are_ legit
reasons to buy, sell, and use zero-day vulnerabilities.

~~~
yuliyp
The prices that go on in these markets make any of those reasons fall pretty
blatantly on their face. Just like someone wanting to buy 100 AK-47s is also
certainly not going to use them to just take to the range.

~~~
uid501
Cydia (the gray market app store) generates over a million dollars a year in
revenue. The operation of this store, and thus its revenue stream, is entirely
dependent on jailbroken iOS devices. Thus, there is a business entity with a
existential interest in iOS exploits that are easily available to the iOS
using community (i.e. the public). Would Cydia pay a quarter million dollars
for an exploit to ensure that their customer base continues to exist?
(Disclaimer: I'm not affiliated with Cydia in anyway, that revenue figure is
from an ex-Apple employee discussing an informal estimate.)

------
cdooh
Another article that reveals nothing new and only serves to help elevate the
public's fear that a full scale cyber war is imminent...

------
kirian
The hacker should accept bitcoins for the exploit and save the commission fee
and maintain better anonymity.

Also the buyer could stay anonymous too.

------
azakai
Linux isn't on the list, so I'm safe! :P

------
TwoBit
why would iphone be harder to hack than android? is it because iphone software
is more closed source?

------
charlieok
Is there some aspect of this story that is new? The article was published
three months ago.

------
givan
Linux is not interesting for the buyers or not that easy to hack?

~~~
user49598
Probably has to do with servers being locked up pretty tight and desktop linux
not having a large enough market share.

