When I was playing/introducing the partial disclosure practice an year and something ago, I did get contacted by numerous dodgy characters willing to buy yet undisclosed vulnerabilities for substantial amount of money. Of course, requests of that nature were kindly ignored. I couldn't believe that someone was willing to give me so much money for something I virtually spent 2-3 hours maximum to produce.
Later on, during the CONFidence 2008 event in Krakow I met a bunch of people who claimed that they already sell exploits to various UK companies and the figures that they were making were outstanding. To give you a clue, given the pound dollar difference at that time, you could have made 6 times more than what ZDI and other similar programs can offer you for a top range exploit. This is already better than a top salary in UK.
Same year, different event... I saw an interesting presentation by Robert McArdle from Trend Micro. The presentation was titled "Fighting web Based, Profit-Driven Threats". On one of his slides, Robert commented that "cybercrime is becoming more profitable than the drug cartels"". Perhaps you wont be able to make as much money from carding as you might expect but you can do quite well selling visualized stuff, such as exploits and exploit toolkits.
Present times, DojoSec Monthly Briefings... Matthew Watchinski from Sourcefire VRT talked about a PDF 0day spreading around Xmas time. The exploit took a couple of good months for Adobe to fix it. The author sold it for 75K to a unknown 3rd-party in China according to Matthew. The vulnerability was also relatively easy to find and required very little experience to exploit.
All of this leads to the very obvious conclusion which is that at present times cybercrime is a flourishing industry. Soon, there will be even more recruits coming to join the dark-side forces of the cybercrime cartels. They will do it for the money!
No more free bugs you say? I say that you are leading people to become the next generation of cyber menace. Perhaps you forgot that the information security community was built on and thrived because of a simple but fundamental principle: knowledge must be free.
Sell The Bugs
Regardless how good these figures may sound to you, you need to take a step back and think really well what you are getting into. Here are a few points that you need to consider before selling exploits:
- Cybercrime is not a joke - If you get caught selling exploits to a dodgy 3rd-party you may end up with a prison sentence longer than the sentence of a child molester. If you live in US or UK you could be charged and treated as a terrorist which will completely destroy not only your life but the life of your closes people.
- TAX man problems - Oh Yes! Unjustifiable incomes could get you in trouble with the TAX man. The TAX man will hunt you and hurt you.
- Broken legs and other broken parts of the body - You have no idea to whom you are selling to. Tomorrow you may wake up with broken legs and twice as poorer as the day before.
- Even worse - People will kill for a lot less than 75K. Keep that in mind.
In my humble opinion, exploit brokerage is a risky business. There is an unquantifiable risk associated with this practice and that is only due to the high price of exploits which are sold today.
Nevertheless, it is just silly to believe that no one is producing and selling exploits in a large scale. Do you remember the numerous gaming sweatshops which sprung up like wild mushrooms after the recent heavy rains in 3rd-world countries? I recall seeing a documentary on a typical day in a Chinese WoW sweatshop. I remember I saw a room full of almost naked people, numerous PCs hooked up into a gigantic DIY network spreading across the entire floor. Most of the WoW accounts were fully automated, running from virtualized platforms.
The aim was simple: a) develop many characters in a semi-automated fashion by killing small animals and other things around the WoW world and b) sell the characters plus other artifacts to western buyers for a substantial amount of money. All of this can be achieved for as little as $70 a month per person. This is a remarkable business model which works extremely well.
Similarly, all you need is a bunch of programmers from India, China, or Eastern Europe to code up fuzzers and run them against as many software products as possible. At the end of the day memory corruption exploits a relative easy to detect. All you need is a crash caused by putting far too many 0x41 in a buffer. The crash is already an indication that something is wrong. It requires a bit of manual work to figure out whether the crash is exploitable. From personal experience, and by looking into the work of my peers, it takes approximately 10 days to develop a crash into an exploit. Most of the times, the exploitability factor of a crash is apparent and therefore no time needs to be wasted. Other times, a crash can be archived for future investigation when it could become exploitable given it meets the necessary conditions.
Perhaps you can do all that by paying someone as little as $70 a month as it is the case with WoW sweatshops. That is 3 times less than what I am paying for just hosting. Therefore, I most certainly can afford to hire 3-4 people right now and even double their salaries, but let's do the maths:
# average exploit price: **$5000** # number of people to hire: **5** # average monthly salary: **$100** # job specs: **write fuzzers** 5 * 100 = $500 # a month expenses 5000 / 500 = 10 # months worth of work
Heck, I can even put this bill on my credit card and pay as little as $50 a month. The chances that I will sell an exploit for $5K in the next 10 months are pretty high. $5K is only if I go with a legitimate company. I can probably make 6 times more by selling it to a dodgy 3rd-party. The only thing I need to worry about is the risk.
Some Final Words
Finally, I know that a lot of people are into the security business because of all the romanticism and the myths surrounding the "hacker" figure. Things look different once you become the hacker and your day job and lifestyle are surrounded by hacking and breaking into systems of any sort. There is nothing romantic about it.
So, don't get into trouble for the wrong reasons. If you are young and you need advice what to do with your career, contact us or contact any one who has been into this industry long enough to give you a good and sensible advice. Just don't jump onto the "No free bugs!" bandwagon.
no more free bugscampaign is nothing more but an opportunity for the black market to tamper into even more talent.
no more free bugsthing sounds like an extortion to me. nobody asks researchers to find bugs as well no one asks anybody to try the security of your front door. don't get me wrong. do I want to get paid more? hell yeh! the thing is that it is up to you if you want to sell it or not for the price that is offered. in other words, if I offer you $5 for an exploit it is up to you to decide if you want to have a deal or not. some people think that my argument is that security researcher are already paid enough and they don't deserve to be paid more for their exceptional work. this is incorrect. my opinion is that although you, as a security researcher, dictate the price of your work, at the end of the day it is all business. you can ask for any sum you can imagine but if no one is willing to buy it at that price you will loose. and asking 75K from a legit company for a vulnerability which could be leaked tomorrow is not the way to go. it is a high risk investment no one will bother to get into. as a businessman, if I give you 75K for a vulnerability I would like to see first of all return of that investment and perhaps even a bit of profit. the only people that will buy at that price are either military institutions (only if inline with the current budget and objectives) or shady figures from around the Internet who will use your work to expand their botnets.
no more free bugscampaigning. What the
no more free bugscampaign promotes is not to disclose critical information unless certain demands are met. It sounds ridiculous and terribly wrong! Also, it is pretty subjective to talk about how much Apple and other software and hardware vendors are willing to pay for a bug. Keep in mind that if they know that a vulnerability in their products worths $75K they would have had a proper bounty program. As far as I know, Mozilla is one of the few vendors which offer bounties for bugs and they are not paying that much, i.e. you are not going to get rich. As a matter of fact, I hear that ZDI has bought some vulnerabilities for at least $50K in some instances. I am not sure if this is true but if it is than I guess the market is finding its own way to justify the cost. However, if bugs can be sold to vendors for $50K than why should anyone bother with pwn2own competitions where you are making a lot less then that?