$60000 for a zero day in Flash???
These guys will go bankrupt in three months at most!
Last week Apple made its belated entrance into the bug bounty market, announcing a top award of $200,000 for major flaws in iOS, but Cook & Co have been comprehensively outbid. On Tuesday, exploit trading firm Exodus Intelligence said it is willing to pay $500,000 for a major flaw in iOS 9.3 and above – and the exploit to use …
The bug bounties offered by these billion dollar companies is pitiful. $10,000 for a flaw that could ruin your company overnight? What are they thinking?!
The sooner they start offering more realistic bounties, the sooner we can shut down the black market for these exploits, and stem to flow of these zero-days to criminals and governments with malign intent.
I don't think you understand how supply and demand works. The lower the supply of exploits, the higher the price. If companies offer higher bounties and make exploits more scarce, the blackhats will be willing to pay more for one, and the companies will be forced to raise the bounties even higher. Should they pay $5 million per exploit if the black market is willing to pay $6 million?
> I don't think you understand how supply and demand works.
Bud, I'm not sure you do either. The maximum a black hat will pay for a vulnerability is not determined by how much Microsoft is willing to pay for it; it's determined by how much they think they can make from the exploit.
We have to assume there is already an efficient market for these exploits and that the prices already discussed represent close to the maximum that black hats are willing to pay.
If there is plenty supply of exploits on a given platform that means two things 1) the exploits are cheap and 2) platform is inherently insecure. While the law of supply and demand would necessarily focus on the first point (otherwise whoever is willing to pay for exploits would go bankrupt, and yes I'm also puzzled why Flash exploits rate is far more than $100 a pop), the second point indicates that the vendor does not care (enough), which also means that either they are short step to bankrupcy or, more likely, their business model factored that security exploits are not going to ruin them over night.
Yes, the exploits might ruing their customers, but did you read any of the EULAs of the software you are using? Yes I am being cynical, but that's the reality we live in.
The bug bounties offered by these billion dollar companies is pitiful. $10,000 for a flaw that could ruin your company overnight? What are they thinking?!
Really? I don't see anyone who committed themselves to the Microsoft brand end their use of their products because of a new vulnerability, however severe. Microsoft knows that long term users are by now more or less numb to the fantastic amount of fixes that land every week on their doorstep - they're not worried that such companies would suddenly walk away.
The only thing happening here is that there's yet again a US vulture that is quite happy to make a profit by creating risk to users by driving up the cost of security information, because, hey, capitalism trumps decency every time. Yes, I used the word "Trump" - accidental but quite to the point too.
"Really? I don't see anyone who committed themselves to the Microsoft brand end their use of their products because of a new vulnerability, however severe. Microsoft knows that long term users are by now more or less numb to the fantastic amount of fixes that land every week on their doorstep"
Replace Microsoft with Android and replace the "fantastic amount of fixes" with "fantastic amount of zero fixes". The hordes know nothing about security and don't care - Android ecosystem is the living proof.
I've noticed a fantastic amount of fixes landing on my Linux installations every week, and I'm content in having those fixes than not having them.
> I don't see anyone ... end their use of their products because of a new vulnerability,
Ok, so Microsoft isn't a great example, but just off the top of my head, give Mt. Gox or Ashley Madison a call, see how much they would have been willing to pay to get their hands on the bugs that wiped them out.
Every other week I read a responsible disclosure of some bug that could have wiped out or seriously damaged a business, and then in the footnotes it'll say they got a bounty of $2,000, or $10,000, or they broke some rule and the company decided to not pay out anything.
> yet again a US vulture that is quite happy to make a profit ... because capitalism trumps decency every time
Until bug bounties are competitive, these pig-dog-capitalist bug-brokerages that you despise will thrive. My point is that bug bounties programmes need to offer more. A lot more. This will also have the fantastic side-effect of compelling software producers to give much more of a shit about security. Maybe once bug bounty programmes start paying (what I would consider to be) reasonable rates, security would no longer be an afterthought, but a primary concern.
Hmm... It's been a long time since my computer forensics course, but pretty confident that in the UK selling exploits like that, as opposed to disclosure, will get you on extremely shaky legal grounds. No doubt their prices reflect that.
And we're not even considering the conscientious aspect--and frankly, white hats quite rightly take pride in their high ethical standards. No doubt their price reflects that too.
Quick look reveals these companies¹ make a significant part of their income from selling the vulns to various government agencies (US and European, very likely others too). So in the end it's you, the taxpayer, funding their business.
¹ Exodus is one of a growing number of them, others are Zerodium (ex-VUPEN), Hacking Team, Endgame Systems, ReVuln, ...
Who exactly are Exodus intelligence's customers?
"...only discloses after it has extracted the "maximum value for our customers." " is a rather worrying statement...
On the topic of bounties, if the process go up and it starts costing MS, Apple and co. significant cash then maybe they will start investing more cash into designing secure systems in the first place, i.e. letting the creators spend a bit more time plugging the holes instead of rushing out shipping to man+dog... It's only when it starts hitting the bottom line that companies take security seriously...
> Who exactly are Exodus intelligence's customers?
According to an article I read in La Repubblica some time ago, backed by a quick perusal of those companies webpages, that's almost entirely governments.
As someone told me once, just because you're paranoid, it doesn't mean they're not after you. :-(
>The author resides in US and Exodus is a US company so they're going to give checks that say 'check'.
No, they're going to pay by cheque. It will probably be a grey cheque, is very unlikely to have either 'check' or 'cheque' written on it and certainly won't be saying anything.
Presumably Exodus will turn around and sell these exploits for a multiple to the big boys. Still sounds like good news for Indie researchers as 500-10k is such shit money from M$ / FB directly etc.
But the concern is Exodus will hoard these exploits until they can extract maximum dollar? Good for them! Its about time cash-hoarding billionaire-dollar Privacy Deniers have to pay for data!