News

Black market for software security flaws reaches new highs

Warwick Ashford

The black market in previously undiscovered vulnerabilities in commercial software is now so established, the average flaw sells for up to $160,000.

One supplier of such so-called “zero-day” vulnerabilities charges customers an annual $100,000 subscription fee, and then further charges per sale, according to the New York Times (NYT).

Hacker-thinkstock-290x230.jpg

Costs depend on the sophistication of the vulnerability and the pervasiveness of the operating system or commercial software concerned.

In an attempt to counter this rapidly growing problem, many technology companies have started “bug bounty” reward programmes.

Last month, Microsoft finally joined Google, Paypal, Facebook  and the Mozilla Foundation in offering cash rewards to prevent bug finders turning to the black market.

But Microsoft, which has stopped short of offering similar cash rewards before, was forced to come in with an offer of $100,000 for exploitation techniques against protections built into Windows 8.

Google, which recently upped its bounty to $20,000, and Facebook, which has so far paid only up to $20,000 for a single bug, may have to rethink their bug bounty programmes to remain effective.

The market is being driven upward by the increasing participation of governments eager to stay one step ahead of their rivals, according to the NYT report.

Top buyers of software flaws include the US, UK, Israel, Russia, India, Brazil, North Korea, Malaysia and Singapore, the paper said.

This is especially worrying in the light of the fact that some of these black market suppliers specialise in vulnerabilities in industrial control systems that can be used to access or disrupt national utilities such as electricity or water.

The rapid growth of the market for software vulnerabilities presents a serious challenge to commercial software producers. It also underlines the growing importance of supply chain security.

Responding to the NYT report, Jeremiah Grossman, founder and CTO of WhiteHat Security said huge black market rewards are likely to tempt rogue developers to plant bugs in software.

“It is hard enough to find vulnerabilities in source code when developers are not purposely trying to hide them," he said.

Supply chain security has become an increasing priority as cyber attackers have also turned to infiltrating weakly defended companies to work their way up or down the supply chain to their end target.

In response to this concern, the UK’s Ministry of Defence has teamed up with nine large defence firms and telecoms providers to set up the Defence Cyber Protection Partnership (DCPP).

The DCPP is the latest in a series of cyber security initiatives by the government since cyber threats were categorised as one of the national defence priorities in 2010.

The partnership will look to implement controls and share threat intelligence to increase the security of the defence supply chain.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy