
Rewards of Up to $500K Offered for FreeBSD, OpenBSD, NetBSD, Linux Zero-Days - ax00x
https://www.bleepingcomputer.com/news/security/rewards-of-up-to-500-000-offered-for-freebsd-openbsd-netbsd-linux-zero-days/
======
pleasecalllater
This makes me sad. People working on open source projects get nothing.
Sometimes they get some money. Sometimes they get some fame. People who don't
build anything, but find a hole, they are heroes, they get prizes, they are
worshiped.

If there is a commonly used open source library without hackable bugs, you
won't even hear about the author who committed his/her own time to build
reliable software.

If someone finds a bug, then she will get some prize, and will be invited to a
conference. And the library author will be publicly bashed as an idiot.

Sometimes open source people don't even get mentions.

I was working on a patch for a huge open source project once. I spent hours on
that. Two other people helped me, they also spent some significant time on
that. And we managed to implement this. Who was mentioned in the release
changelog? The person who committed that. Then I stopped spending my precious
time on such things like giving someone the credits for my work. I love
programming, I work on my own projects instead.

And all that makes me sad.

~~~
jdietrich
_> This makes me sad. People working on open source projects get nothing.
Sometimes they get some money. Sometimes they get some fame. People who don't
build anything, but find a hole, they are heroes, they get prizes, they are
worshiped._

I think you've misunderstood what's happening here. Zerodium, the company
mentioned in this article, is an exploit broker. They buy vulnerabilities from
researchers, then sell them on to government intelligence agencies. The entire
purpose of their business is to undermine the security of the tools we use.

Bug bounties are a response to this trade in exploits. They incentivise
researchers to publish vulnerabilities rather than selling them to spies.
They're a necessary evil to keep zero-day vulnerabilities out of the hands of
oppressive regimes. It's not nice, but that's just the world we live in.

Large companies that rely on open source software have started to understand
the importance of financially supporting OSS development, largely as a result
of the Heartbleed crisis. The Linux Foundation's Core Infrastructure
Initiative has created a secure financial foundation for critical open source
projects.

~~~
xxs
> They buy vulnerabilities from researchers...

or provide an opportunity for the original developers to introduce an obscure
backdoor and cash out

~~~
pas
That's an interesting take on the situation.

Was there any instance of this? Are there disincentives against this? (I guess
the entity offering the bounty could say, only software released before this
day is available. Though malicious contributors can very certainly guess that
there will be other future bug bounties too.)

~~~
Zophike1
> Was there any instance of this? Are there disincentives against this? (I
> guess the entity offering the bounty could say, only software released
> before this day is available. Though malicious contributors can very
> certainly guess that there will be other future bug bounties too.)

I believe sometime ago there was new surrounding backdoored crypto also on the
low-level side of things there was a secret rootkit in Street Fighter that
allowed for an EOP

[https://github.com/FuzzySecurity/Capcom-
Rootkit](https://github.com/FuzzySecurity/Capcom-Rootkit)

[https://www.blackhat.com/docs/eu-17/materials/eu-17-Filiol-B...](https://www.blackhat.com/docs/eu-17/materials/eu-17-Filiol-
By-Design-Backdooring-Of-Encryption-System-Can-We-Trust-Foreign-Encryption-
Algorithms.pdf)

------
forapurpose
There is a zero sum trade-of between exploit brokers and the public's
interests. I don't mind for-profit businesses, especially large ones, paying
for exploits to their own products. Open source projects such as the BSDs,
however, can't afford it and they donate their work to the public for public
benefit. For those systems selling and buying exploits rather than reporting
them to the devs is unethical, IMHO, for both the exploit discoverer and the
broker.

------
John_KZ
Can we fix this kind of behavior without spiraling down to a money-spending
competition? (Which the open source community clearly cannot win?)

With open-source developers being badly paid, large numbers of relatively
unknown contributors with little to lose (ie no reputation, no criminal
charges, no repercussions whatsoever), and major corporations not caring
enough about Uncle Sam to spend $$ to shield open source software they use,
who will stop this kind of decay?

It used to be that the stakes were low, the developing community was small,
and the amount of software was manageable. If someone introduced a zero-day,
sooner or later would be caught and kicked out. Few people cared about
breaking into this software so some donated personal effort was adequate to
shield against those intruders.

Now if you can remotely compromise Debian or Ubuntu you have millions of
servers in your hands and potentially hundreds of millions worth of private
data. I don't see how this can be stopped.

------
forapurpose
I find especially interesting the tables showing the payoffs for exploits of
different platforms. It gives us insight into supply of and demand for the
exploits:

[https://www.bleepstatic.com/images/news/u/986406/attacks/Zer...](https://www.bleepstatic.com/images/news/u/986406/attacks/Zero-
Days/zerodium_prices_mobiles.png)

[https://www.bleepstatic.com/images/news/u/986406/attacks/Zer...](https://www.bleepstatic.com/images/news/u/986406/attacks/Zero-
Days/zerodium_prices_desktops.png)

------
djsumdog
This gets into the entire controversial business of selling exploits to
"Security companies." Often these companies are just brokers, sometimes
selling to states, but also to criminals.

Years ago at Ruxcon in Melbourne, this came up in a panel discussion. One of
the members, Ranty Ben, talked about how exploit sales were part of his
career/income.

The talk was originally here, but it seems to be gone now:
[https://www.youtube.com/watch?v=xlJ1DQdjVHM](https://www.youtube.com/watch?v=xlJ1DQdjVHM)

------
jaxtellerSoA
>Zerodium is known for buying zero-days and selling them to government
agencies and law enforcement.

So how much is Zerodium getting for these Zero days? If all you care about is
money then aside from the fear that you might end up getting investigated by
one of these agencies, why wouldn't you sell directly to them for more money
than Zerodium is giving you.

Otherwise if you actually care about the security of systems, then disclose it
to the developers, give them reasonable time to fix/patch and submit it as a
CVE.

~~~
INTPenis
The concept of government contractors is quite common. If zerodium can
guarantee auditing and safe zeroday acquisition then I don't see anything
different in governments using a broker to attain their exploits.

The same attractions would apply as when they're dealing with other government
contractors rather than individual actors.

The really sad thing here is that those exploits might be put to use against
the people of the world.

------
3pt14159
I fell into cybersecurity after doing some consulting to a major department of
the government of Canada on machine learning. While there I was shocked at how
bad things are. FVEY may be the pre-eminent alliance in the cyber domain of
war, but defence is so much harder than offence if the situation isn't rushed.
This didn't really dawn on our political leaders until recently, but they
don't really know what to do.

So I started methodically learning cybersecurity. I ended up writing this
comment about a year or two in:

[https://news.ycombinator.com/item?id=12788910](https://news.ycombinator.com/item?id=12788910)

> It's surprising how bad cyber security is, but so much of it is right there
> in the pages of this [U Waterloo textbook]. It's like finding out you can
> buy a Patriot missile for $250 and some spare time in the evenings.

Over the past two years I think the world is starting to understand where we
are headed, but there are no easy solutions. Many of the problems we have are
the same ones we've had since the dawn of the NSA. Computers need operating
systems. Operating systems are really fucking hard to make completely secure,
let alone completely secure and borderline useable. If you think $500k for
0days is high you ain't seen nothing yet. When autonomous systems run
everything or when greater numbers of Wall St traders start realizing what
they can do with an 0day and some outlying put options we're going to see
0days worth tens of millions as the arms race heats up.

The problem with cybersecurity tools (and AI / autonomous systems) is that
it's all dual use. The same tools you probe your own server with are the same
ones you can probe others with. Worse—we can't even control the export of
attack tools because it's all essentially just data. You can't stop people
from memorizing code snippets or facts.

Even so, we need to instil fear into people in the West. We need to limit who
they're legally allowed to sell the vulns to. Allied states: Yes. Defence
interested parties: Yes. Some cybergang: Fuck no. We need to deny travel visas
to the direct family members of other individuals in unaligned states that
sell 0days to the worst actors.

It won't stop malactors from getting these bugs, but it will make it
significantly more expensive for them to do so, and at the end of the day war
and crime are economic concerns as much as they are political.

~~~
bmer
I saw an ad (math dept. at Canadian university) from the government looking to
hire cybersec people. I was pretty interested, but didn't match the
requirements they were looking for (experience with cybersecurity). As someone
with a background in scientific computing, I wonder what the transferable
skills are between sci-comp/cybersec, apart from data analysis/machine
learning?

~~~
0xdeadbeefbabe
IMHO you are probably smarter than they are, especially if you can remain
scientific about things.

------
deathhand
If the government has to crowd source its back doors then there may still be
hope for digital freedom.

------
jokoon
Can't you use some form of static analysis to highlight potential
vulnerabilities?

~~~
arbitrage
The low-hanging fruit amenable to this type of discovery has been plucked
years ago.

------
crb002
This is disturbing. $500k payout for colluding to indrocuce a back door in
OSS.

