Many technology companies have started “bug bounty” programs in which they pay hackers to tell them about bugs in their systems rather than have the hackers keep the flaws to themselves — or worse, sell them on the black market. Nearly a decade ago the Mozilla Foundation started one of the first bounty programs to pay for bugs in its Firefox browser. Since then, Google, Facebook and PayPal have all followed suit. In recent months, bounties have soared.
In 2010, Google started paying hackers up to US$3,133.70 — the number is hacker code for “elite” — for bugs in its Web browser, Chrome. Last month, Google increased its cash prize to US$20,000 for exploits in some of its widely used products. Facebook began a similar program in 2011 and has since paid out US$1 million. One payout was US$2,500 to a 13-year-old. The most it has paid for a single bug is US$20,000.
“The program undermines the incentive to hold on to a bug that might be worth nothing in a day,” Facebook chief security officer Joe Sullivan said.
It also has the unintended effect of encouraging ethical hackers to turn in others who planned malicious use for bugs.
“We’ve seen people back-stab other hackers by ratting out a bug that another person planned to use maliciously,” he said.
Microsoft, which had long resisted such a program, did an about-face last month when it announced that it would pay hackers as much as US$150,000 for a single exploit, if they also provided a way to defend against it.
Apple still has no such program, but its vulnerabilities are some of the most coveted. In one case, a zero-day exploit in Apple’s iOS sold for US$500,000, according to two people briefed on the sale.
Still, Soghoian said, “The bounties pale in comparison to what the government pays.”
The military establishment, he said, “created Frankenstein by feeding the market.”
In many ways, the US government created the market. When the US and Israel used a series of flaws — including one in a Windows font program — to unleash the Stuxnet worm, a sophisticated cyberweapon used to temporarily cripple Iran’s ability to enrich uranium, it showed the world what was possible. It also became a catalyst for a cyberarms race.
When the Stuxnet code leaked out of Iran’s Natanz nuclear enrichment plant in the summer of 2010, the flaws suddenly took on new value. Subsequent discoveries of sophisticated state-sponsored computer viruses named Flame and Duqu that used flaws to spy on computers in Iran have only fueled interest.
“I think it is fair to say that no one anticipated where this was going,” said one person who was involved in the early US and Israeli strategy. And today, no one is sure where it is going to end up.”
In a prescient paper in 2007, Charlie Miller, a former NSA employee, described the profitable alternatives for hackers who may have otherwise turned their information about flaws over to the vendor for free or sold it for a few thousand dollars to programs like Tipping Point’s Zero Day Initiative, now run by Hewlett-Packard, which used them to enhance their security research.
He described how one US government agency offered him US$10,000 for a Linux bug. He asked another for US$80,000, which agreed “too quickly,” Miller wrote. “I had probably not asked for enough.”