The bug bounty programs that are offered by the major software giants are now facing growing competition from exploit traders. It seems that the price rewards proposed by them are not very competitive in comparison to other parties.
The Facing Competition
Apple recently launched their bug bounty program that offers security experts up to 200 000 dollarsif they disclose vulnerabilities in their software products. The company has stated that it would accept reports from a limited group of people in the beginning. And while other tech giants have had their bounty programs and generous offers for critical disclosures, exploit traders have just started to compete seriously with them.
A private security company called Exodus Intelligence is offering up to 500 000 dollars for major vulnerabilities disclosure in top software products and services such as Apple iOS, Google Chrome, Microsoft Edge and Adobe Flash. The interesting fact in their offer is that the company provides flexible payment options – payment by traditional methods or the crypto currency Bitcoin and the choice of a lump sum or smaller regular payments.
Due to the popularity of these products and technologies, a lot of interested parties are paying companies like Exodus Intelligence tremendous amounts of money to get information about critical vulnerabilities, especially those that are still active. It is widely known that serious issues often take time to get fixed. If a serious criminal group has gained information about a security bug in a major product then a lot of damage can be incurred.
Exodus Intelligence has stated that their offer their client’s professional examination and validation of the vulnerabilities by “world-class team”. It is widely known that private companies and government agencies, as well as potential criminals, use such services.
The Potential Damaging Effects
Encryption is now standard for most applications that use Internet services so critical exploits, especially zero-day ones are the golden mine for anyone seeking to gain malicious access to user data or other sensitive information. Other uses of these exploits may include sabotage, private information leaks or other damaging effects that may prove dangerous to the target company, software, and their users.
Government agencies such as the FBI are notorious for paying private security companies to get early notification of critical bugs and security vulnerabilities in popular software services and products. A lot of researchers have criticized their actions stating that they are using exploits to spy on the behavior and information of Internet users on a global scale.
Last November the exploit trader Zerodium gave a bounty reward of 1 million dollars for the demonstration of a critical remote vulnerability in iOS 9.