Zero-Day Threats, Part 2: Who’s Behind Them and Why?
Thursday June 14, 2007 at 4:32 pm CST
Posted by Craig Schmugar
In part 1 of this blog series, I presented a definition for zero-day threats. Now that we know what they are, let’s explore how they come to be–why they exist.
Many years ago security researchers discovered vulnerabilities in software and took their findings to the manufacturer, or vendor. Oftentimes they, or their findings, were either ignored or not taken seriously. Out of frustration researchers began seeking other means to have their issues properly addressed, and their voices heard. (For more on this, listen to McAfee’s AudioParasitics podcasts Episode 4 & Episode 5 with special guest Stuart McClure.)
Back then, fighting “for the people” and making software more secure were certainly motivating factors for researchers; and of course notoriety and peer praise played a role.
Nowadays there is another primary motivating factor, money. The rewards range from the few hundred dollars that vendors like Mozilla pay, to the thousand dollars that vendors such as Verisign iDefence, 3com TippingPoint, Digital Armaments and, more recently, Netragard’s Snosoft fork over, to the many thousands of dollars offered by private companies and individuals on the black market.
| Vulnerability Bounty Programs | |
| Vendor | Date Announced |
| iDefense | Aug-02 |
| Mozilla | Aug-04 |
| TippingPoint | Jul-05 |
| iDefense | Jul-05 (doubled bounty) |
| Digital Armaments | Oct-05 |
| Netragard | Jan-07 |
| iDefense Vulnerability Challenges | ||
| Period | Challenge | Bounty |
| Q2/3-07 | Critical infrastructure vulnerabilities | $16k-$24k |
| Q1-07 | Critical Vista & IE7 vulnerabilities | $8-12k |
| Q4-06 | Critical IM vulnerabilities | $10k |
| Q3-06 | Critical Browser | $10k |
| Q2-06 | Critical DB | $10k |
| Q1-06 | Critical Microsoft vulnerabilities | $10k |
Charlie Miller recently published a paper entitled The Legitimate Vulnerability Market: Inside the Secretive World of 0-day Exploit Sales describing the challenges of selling vulnerability information. As discussed in this paper, there are a number of obstacles when trying to line up a buyer, negotiate a fair price, prove the validity of the vulnerability, and close the deal without either party getting burned. Many researchers who are fed up with these problems opt to trade in the currency of fame rather than fortune. Some of these researchers have contributed to various “Month of X Bug” projects, including blogs built for the regular and scheduled disclosure of vulnerabilities. The first few MO_B projects got quite a bit of attention, but now that there have been seven of these projects, they are becoming tiresome.
So why buy a zero-day threat? Research organizations created bounty programs to buy zero-day threats to protect and share the vulnerabilities with their customers, for marketing and press–oh–and to notify the vendor to patch the problem. Private parties must buy them for the same reasons, yes? Wait a moment, private parties have no customers and they don’t want the attention of press. Why would they want the vulnerability patched? That would only devalue the information. What are the remaining reasons for them to purchase these vulnerabilities? To carry out attacks, of course, or to resell the threats. It’s also conceivable that in an age of cyberwarfare, governments may purchase zero days to both remove the threat from the market and to beef up their defenses.
Tune in next week for Zero-Day Threats, Part 3: When & How Are They Released?