The sale of zero-day exploits is a very profitable business that most people completely ignore. The International Institute of Cyber Security talks about this practice using the example of Zerodium, a zero-day broker.
According to the company itself, Zerodium offers rewards to information security and pentest investigators to acquire its original zero-day vulnerability investigations that affect major operating systems, software and devices.
“Most of the current exploit bonus programs accept almost any kind of vulnerability, but pay very low rewards, at Zerodium we focus on high-risk vulnerabilities with fully functional exploits, and we pay the highest rewards on the market”, claims a statement on their website.
Zerodium, like other zero-day brokers, buys investigations and sells them to government and intelligence agencies, but many privacy advocates fear that these failures can be used by surveillance agencies that sell their products to authoritarian regimes.
The company offers rewards of up to 500 000 dollars for zero-day exploits on UNIX-based operating systems, including OpenBSD, FreeBSD, NetBSD. The same offer is for exploits developed from popular Linux distros such as Ubuntu, CentOS, Debian and tails.
The prices of these findings vary by several factors, including market shares of the affected platforms or systems (Windows zero-day exploits are usually more valuable than those for Linux, for example) and the level of user’s interaction required for exploiting the vulnerabilities.
Other influencing factors are reliability to run the exploit, the number of vulnerabilities that attackers need to chain to exploit the error, success rate, and operating system configuration that is necessary for the exploit.
According to pentest specialists, in past opportunities Zerodium came to offer up to 1.5 million for a zero-day exploit for iOS.
If we look at the price list for zero-day exploits, we can see that operating codes for Linux server environments have great rewards, but mobile exploits remain the most expensive in the research market on vulnerabilities.
Recently a new competitor broke into the scene of the zero-day market. Is Crowdfense, which launched an acquisition program with prizes of up to 10 million dollars for research and pentest on this information security researches.