By now you may be thinking, surely he won’t post ANOTHER cybersecurity blog, right? Well, you’d be wrong! I AM that boring and out of touch with what information people want to learn more about. I’m also secretly trying to plant the seed so that in 15 years when you need to hire a CISO, you’ll think to that guy with a manbun in your Digital Transformation class who wouldn’t stop talking about cybersecurity. Vote Olger for CISO 2035!
To ensure everyone is on the same page as they read this blog, let’s recap how vulnerabilities are identified. Vulnerabilities are bugs in code that can be exploited to gain extra privileges, circumvent security controls, or impede business activities, among other attacks. When vulnerabilities are identified by the software vendor, they typically work quickly to create a patch to close that vulnerability then push it out to the world. By 2013, Bug Bounty programs, whereby researchers disclosed vulnerabilities for small payments became mainstream. Security researchers or white hat hackers would try and hack their way into a physical device or piece of software. Once they’ve identified a vulnerability, they submit it to the bug bounty program and receive a payment depending on the severity of the vulnerability that was identified. The programs are either managed by a third-party middleman (Bugcrowd, HackerOne, etc.) who source for smaller companies, or by the software company themselves (Apple, Google, etc.) if they are big enough to host their own platform. This is now standard procedure for any responsible cybersecurity program.
While almost all middle-men bug bounty programs are specifically hired by companies to gather vulnerabilities from the community, one has taken a different approach. Instead of acting as a marketplace, they’re acting as a reseller. They purchase vulnerabilities from security researchers and sell them to the highest bidder around the world. They pride themselves in confidentiality of their vulnerabilities and client list. But the most interesting aspect of it all, is that while their clients span the globe, they are headquartered in Washington DC and still to this point, everything they’re doing is legal. This company is called Zerodium, the marketplace of software vulnerabilities.
Zerodium functions by sourcing zero-day vulnerabilities in high profile and often targeted software. (As a note, Zero-day refers to the idea that the vulnerability has not been made public, patched, or known by any party outside of the researcher). Zerodium is the second iteration of such a concept; its founders originally started Vupen in 2004, but after much negative publicity, shut down the company and rebranded as Zerodium. The only change was in name and client base; while previously they would sell their vulnerabilities to law enforcement agencies, their new business model was limited to governments around the world.
The Zerodium process follows the steps above. Security Researchers and white hat hackers identify vulnerabilities and submit to Zerodium using their online platform. Payments are made within a week of the code evaluation and can be massive in size. One critical zero-day mobile vulnerability will net the researcher up to $2,500,000. As of Oct 2021, Zerodium touts that they have a platform of 1500 security researchers, 10,000 submissions, and $50M paid in bounties for an average of ~$5,000 per vulnerability.
After Zerodium sources their vulnerabilities, they go around and try to sell it to their customer. The critical question is who are Zerodium’s customers? There is no public list, as the company prides itself in confidentiality, however, it does state that their customers are “government institutions (mainly from Europe and North America) in need of advanced zero-day exploits and cybersecurity capabilities.” Zerodium has been linked to a few high-profile attacks perpetrated by foreign government agencies. Some organizations claim that the zero-day attack performed on UAE blogger Ahmed Mansoor, was sourced by Zerodium and sold to the United Arab Emirates government. It may not be possible to follow where vulnerabilities are sourced from, as Zerodium is purposefully working in the shadows. However, given the size of the bounties that Zerodium can pay out to researchers, it’s obvious that they’ve had success with their business model.
Picture yourself as a security researcher who’s just identified a critical zero-day vulnerability on the android platform. You know that Google would pay their max amount for this, a whopping $1,000,000, but at the same time, Zerodium would pay you $2,500,000. Both are legal avenues, but hold different ethical implications. Zerodium’s customer would likely be a government institution that uses that vulnerability to gain backdoor access to their citizen’s cell phone data. I suppose it’s a question of how much are your ethics and morals worth? Maybe $2.5M isn’t enough for you right now, but Zerodium keeps increasing their bounty amounts, it seems like it’s only time until they hit that number that would tip the scale.
On October 20, 2021, the US government announced that they will begin controlling the export of tools that can be used in cybersecurity attacks against citizens. The new laws are directly referencing zero-day vulnerabilities being exported to international governments. While this may affect Zerodium’s business model, there are other players internationally that are not covered under the new laws and will be able to continue providing sourced zero-day vulnerabilities to foreign governments and potentially criminal organizations as well.
If we take a step back, we can see that companies like Zerodium and others have been an unintended consequence of digital transformation. The big push to create bug bounty programs and publicize vulnerabilities to improve the security posture of the internet has backfired. While vulnerabilities are being identified, they are not making its way to the vendor who can enact the changes required. Instead, they are making its way to governments or criminal organizations that are then exploiting the vulnerability on their victims. The potential saving grace is that researchers appear to be chasing money instead of mayhem. While Zerodium is currently able to provide bigger payments, there is a potential future where private companies will begin increasing bounty payments to compete with the industry. Until that day, we’re all a little more vulnerable to these practices.