Hacker black markets outbid IT companies in bidding for zero-day exploit disclosures


Hacker black markets outbid IT companies in bidding for zero-day exploit disclosures

Cliff Saran

The hacking black market is outbidding legitimate IT companies for disclosure information on zero-day exploits.

The Market for Cybercrime Tools and Stolen Data report, from thinktank Rand, found prices on both the black and grey markets much higher than the bounties companies pay to have bugs in their own systems disclosed.


Bug bounties such as No More Free Bugs, Packet Storm, and BugCrowd – as well as supplier-specific programmes such as Mozilla’s Bug Bounty Program – pay less than the black market, stated the Juniper-sponsored report. 

"Some sources say a researcher could earn 10–100 times what a software vendor with a bug bounty would pay; for example,  HP’s Zero Day Initiative and Verisign’s iDefense Vulnerability Contributor Program only pay  up to $10,000 for exploits," said the report.

In 2012, disclosing a zero-day exploit for Apple iOS earned hackers between $100,000 and $250,000. Chrome and Internet Explorer zero-day exploits paid out up to $200,000; and up to $100,000 was paid for disclosure of Windows zero-day exploits in the black market.

The report noted that, after zero-day exploits were disclosed, the number of malware variants exploiting them increased 183–85,000 times, and the number of attacks increased 2–100,000 times.

Zero-day attacks are rare, but the report warned that a much larger market existed in exploiting vulnerabilities shortly after they are discovered. In this scenario, the hacker has gleaned knowledge of a security patch being distributed, so there is a window of opportunity to attack unpatched systems.

Nawaf Bitar, senior vice-president and general manager of security business, Juniper Networks said: "The security industry, government and legal communities must come together to establish new norms for how companies can more vigorously defend themselves against cyber-attacks. 

"By using forms of active defence such as intrusion deception we can identify, thwart and frustrate attackers."

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy