The hacking black market is outbidding legitimate IT companies for disclosure information on zero-day exploits.
The Market for Cybercrime Tools and Stolen Data report, from thinktank Rand, found prices on both the black and grey markets much higher than the bounties companies pay to have bugs in their own systems disclosed.
Bug bounties such as No More Free Bugs, Packet Storm, and BugCrowd – as well as supplier-specific programmes such as Mozilla’s Bug Bounty Program – pay less than the black market, stated the Juniper-sponsored report.
"Some sources say a researcher could earn 10–100 times what a software vendor with a bug bounty would pay; for example, HP’s Zero Day Initiative and Verisign’s iDefense Vulnerability Contributor Program only pay up to $10,000 for exploits," said the report.
In 2012, disclosing a zero-day exploit for Apple iOS earned hackers between $100,000 and $250,000. Chrome and Internet Explorer zero-day exploits paid out up to $200,000; and up to $100,000 was paid for disclosure of Windows zero-day exploits in the black market.
The report noted that, after zero-day exploits were disclosed, the number of malware variants exploiting them increased 183–85,000 times, and the number of attacks increased 2–100,000 times.
Read more about zero day attacks
Zero-day attacks are rare, but the report warned that a much larger market existed in exploiting vulnerabilities shortly after they are discovered. In this scenario, the hacker has gleaned knowledge of a security patch being distributed, so there is a window of opportunity to attack unpatched systems.
Nawaf Bitar, senior vice-president and general manager of security business, Juniper Networks said: "The security industry, government and legal communities must come together to establish new norms for how companies can more vigorously defend themselves against cyber-attacks.
"By using forms of active defence such as intrusion deception we can identify, thwart and frustrate attackers."