The sale of Zero-day exploits is a prolific business that most people totally ignore, to better understand its evolution let’s analyze together the offer of the popular exploit broker Zerodium. To have a clear idea about the company mission let’s visit the website.
“ZERODIUM pays premium bounties and rewards to security researchers to acquire their original and previously unreported zero-day research affecting major operating systems, software, and devices.” reads the company web sites. “While the majority of existing bug bounty programs accept almost any kind of vulnerabilities and PoCs but pay very low rewards, at ZERODIUM we focus on high-risk vulnerabilities with fully functional exploits, and we pay the highest rewards on the market.”
Zerodium, like other zero-day brokers, buys zero-days and sell them to government agencies and law enforcement, but many privacy advocates fear that these flaws could be used by surveillance firms that sell their products to authoritarian regimes.
The company is offering rewards of up to $500,000 for zero-day exploits in UNIX-based operating systems, including OpenBSD, FreeBSD, NetBSD. The same offer is for exploits developed form popular Linux distros such as Ubuntu, CentOS, Debian, and Tails.
Prices for zero-day vary for several factors, including the market shares of the affected platforms/systems (Windows zero-day exploits for Windows are usually more valuable than Linux ones) and level of user interaction requested for the exploitation of the flaws (no click, one click, two clicks, etc.).
Other factors include the reliability for the zero-day exploit, the number of vulnerabilities that attackers need to chain to exploit the flaw, the success rate, and the OS configuration that it is necessary for the exploitation.
The rewards for Linux zero-days continues to increase, a trend already observed since February, when rewards going as high as $45,000.
We're currently acquiring #0day exploits (privilege escalation or RCE) for the following operating systems: OpenBSD, FreeBSD, NetBSD, Ubuntu, CentOS, Debian, and Tails. For related inquiries or submissions, contact us: https://t.co/8NeubPvSdj
— Zerodium (@Zerodium) June 27, 2018
The company shared the latest zero-day acquisition drive as part of its ordinary zero-day acquisition program.
The acquisition drive includes special offers, usually associated with higher fees, for specific zero-day exploits.
Zerodium is still looking for remote code execution or local privilege escalation Linux and BSD systems, it offers variable rewards that can go up to $500,000.
The firm payouts for Linux privilege escalation zero-day exploits range from $10,000 to $30,000, while a local privilege escalation (LPE) in Linux could be paid up to $100,000.
Rewards for Linux remote code execution exploits can range from $50,000 to $500,000, zero-days for CentOS and Ubuntu are most wanted.
In the past Zerodium offered up to $1.5 million for an iOS zero-day exploit.
Looking at the price-list for zero-days we can notice that exploit codes for server environments, Linux have high rewards, but mobile exploits remain the most expensive in the zero-day market.
Recently a new player emerged in the zero-day market, it is Crowdfense who launched an acquisition program with prizes of $10 million.
(Security Affairs – Cybersecurity, Zero-day exploits)