As we have mentioned in previous occasions, the concept “zero-day vulnerability” refers to flaws in software never before discovered and whose exploitation does not require user of the compromised system interaction. Among the cybersecurity community, there are companies like Zerodium that buy reports on zero-day vulnerabilities, but it’s important to ask yourself: why is the interest in these security flaws?
While malicious hackers seek such vulnerabilities to cause severe large-scale damage, tech companies and some companies like Zerodium, known as “exploit brokers,” try to collaborate closely with researchers discovering these flaws to prevent their exploitation and strengthen the security of the most widely used technological ecosystems in the world.
According to cybersecurity experts, Zerodium is currently looking for the acquisition of zero-day exploits that impact some of the most commonly used software implementations today, including developments such as:
- Operating systems: Microsoft Windows, Linux, Apple macOS, among others
- Browsers: Chrome, Edge, Firefox and Safari
- Smartphones: Apple iOS in its versions 12.x and 13.x, Android 8.x and 9.x, BlackBerry 10 and Windows 10 Mobile
- Routers: ASUS, Cisco, D-Link, Huawei, Linksys, MikroTik, Netgear, TP-Link
- Email servers: Microsoft Exchange, Dovecot, Postfix, Exim and Sendmail
On the other hand, by releasing updates to its vulnerability bounty program, the company announced that now it’s willing to pay up to $2.5 million USD for vulnerabilities in the Android operating system that do not require victims’ interaction for their exploitation, the highest amount ever paid for an Android flaw. Second, the company will pay up to $2 million USD for a similar exploit on iOS, Apple’s operating system.
The popular idea, according to cybersecurity experts, is that iOS devices have always been more secure than those running Android OS, so why is Zerodium willing to pay more money for a supposedly easier to discover flaw? Cybersecurity experts mention that there are two reasons for this; first, the latest versions of the Android operating system have become more secure, so zero-days are becoming increasingly difficult to find. In addition, multiple zero-day vulnerabilities have recently been revealed on iOS, even during the beta test of the new iOS 13 system, a phenomenon that has influenced on the value that receive flaws in this system.
With the announcement of Zerodium, we can only wait for researchers to be able to discover these failures in the systems mentioned, however, there is still a disjunction for experts; in case of discovering one of these flaws, experts will have to decide whether to report directly to the affected companies, or to resort to exploit brokers, which offer better rewards but which tend to resell these reports to companies or even some government agencies.
According to experts from the International Cyber Security Institute (IICS) companies like Zerodium have been increasing the amounts they offer as a reward for these kinds of errors. The company recently announced rewards of up to $500,000 for Linux errors, as well as for multiple system distributions.