Hackers today are selling zero-day exploits to government agencies via middlemen who charge a commission for setting up the deal. The organizations don’t tell the public about the code they pay for because they use it to gain access to their target’s devices. Selling to them is considered safer than striking deals with the mafia or other shady organisations because in those cases talks can go south at any time.With these kinds of profits, why waste time with small payouts and contests? I can't imagine there is much incentive anymore for security research or hacker groups to report vulnerabilities responsibly to vendors. This is an interesting trend that will be exciting to watch as the market for exploits continues to grow rapidly.
Monday, March 26, 2012
A hacker can typically profit from newly discovered software exploits in three ways: 1) receive a small reward by responsibly disclosing the vulnerability to the software vendor, 2) sell the exploit through an underground market, or 3) sell the exploit to a government agency. Hackers often go after vendor payouts or industry notoriety as rewards for discovering vulnerabilities in software and systems. These incentives are often part of a contest where many hackers try to be the first to find a weakness in a program or other system. Underground markets for so-called "zero-day" exploits have existed for a while, and in the past have involved organized crime groups. But, recently we've seen an increasing trend towards selling the exploits to government agencies for even bigger profits. A fascinating Forbes article mentions that a US government contractor recently purchased an exploit for iOS for $250,000. According to the Zero Day Blog: