How much does a 0-day vulnerability cost?
The market for exploits for zero-day vulnerabilities has exploded in the last year, says Adriel Desautels, the founder of Netragard, a penetration testing and vulnerability assessment outfit that, among other things, acquires and develops exploits.
The number of buyers and the money they are willing to pay for working exploits has dramatically increased, and so has the number of exploits offered for sale each month, he says. Also, the purchase deals are made much more quickly than in the past.
Obviously, the whole economy around this “product” has matured.
As a legitimate company, Netragard must be very careful when selling its exploits. According to Desautels, the firm rejects the majority of those who want to buy them.
“Realistically, we’re selling cyberweaponry,” he points out, but does not share how the vetting process is performed or the price that specific exploits can reach.
It is very well known what some software vendors offer for them through their own bug bounty programs, as well as the prizes offered for working exploits to participants in hacking contests such as Pwn2Own and Pwnium.
These sums are considerably smaller that the ones that can be earned by enterprising vulnerability researchers and hackers if they choose to sell exploits to other organizations, and that’s counting in the fee for the intermediary.
The Bangkok-based security researcher that goes by the handle “the Grugq” is one of these mediators. His contacts in various governments and knowledge of the matter at hand make him eminently suitable for brokering such deals.
He is also careful when choosing to whom to sell the offered exploits, and that’s mostly US and European governments and agencies. Ethical considerations aside, they simply pay much more than a Middle Eastern or Asian government can offer.
The Chinese government doesn’t need his services, he says, because its huge number of hackers usually sell their exploits exclusively and directly to them. He also says that he has no contacts in the Russian government, and that “selling a bug to the Russian mafia guarantees it will be dead in no time, and they pay very little money.”
So how much does a working exploit go for? Well, the price depends on a number of things.
An exploit of a vulnerability in a widely used piece of software is more costly than that of one in a less popular one, and the same goes for those that take advantage of vulnerabilities in the latest software versions. Exploits for software that is more difficult to crack is also more pricey.
Taking all this in consideration, it’s easy to see that an exploit for Windows will be more expensive than one for breaking into a Mac OS X machine, and that the tougher security features of iOS will raise the price for its exploits above that for Android.
According to Andy Greenberg, the current rough price list looks like this:
“Each price assumes an exclusive sale, the most modern version of the software, and, of course, not alerting the software’s vendor,” he says.
“Some fees might even be paid in installments, with each subsequent payment depending on the vendor not patching the security vulnerabilities used by the exploit.”
Event though considered unethical by some, these sales and acquisitions are sure to continue for the time being.
Demand creates supply and, according to the Grugq, banning the sale of exploits would have the same effect that the war on drugs has had on eliminating drugs – none.