Zerodium: The Marketplace of Vulnerabilities

By now you may be thinking, surely he won’t post ANOTHER cybersecurity blog, right? Well, you’d be wrong! I AM that boring and out of touch with what information people want to learn more about. I’m also secretly trying to plant the seed so that in 15 years when you need to hire a CISO, you’ll think to that guy with a manbun in your Digital Transformation class who wouldn’t stop talking about cybersecurity. Vote Olger for CISO 2035!

To ensure everyone is on the same page as they read this blog, let’s recap how vulnerabilities are identified. Vulnerabilities are bugs in code that can be exploited to gain extra privileges, circumvent security controls, or impede business activities, among other attacks. When vulnerabilities are identified by the software vendor, they typically work quickly to create a patch to close that vulnerability then push it out to the world. By 2013, Bug Bounty programs, whereby researchers disclosed vulnerabilities for small payments became mainstream. Security researchers or white hat hackers would try and hack their way into a physical device or piece of software. Once they’ve identified a vulnerability, they submit it to the bug bounty program and receive a payment depending on the severity of the vulnerability that was identified. The programs are either managed by a third-party middleman (Bugcrowd, HackerOne, etc.) who source for smaller companies, or by the software company themselves (Apple, Google, etc.) if they are big enough to host their own platform. This is now standard procedure for any responsible cybersecurity program.

While almost all middle-men bug bounty programs are specifically hired by companies to gather vulnerabilities from the community, one has taken a different approach. Instead of acting as a marketplace, they’re acting as a reseller. They purchase vulnerabilities from security researchers and sell them to the highest bidder around the world. They pride themselves in confidentiality of their vulnerabilities and client list. But the most interesting aspect of it all, is that while their clients span the globe, they are headquartered in Washington DC and still to this point, everything they’re doing is legal. This company is called Zerodium, the marketplace of software vulnerabilities.

Zerodium functions by sourcing zero-day vulnerabilities in high profile and often targeted software. (As a note, Zero-day refers to the idea that the vulnerability has not been made public, patched, or known by any party outside of the researcher). Zerodium is the second iteration of such a concept; its founders originally started Vupen in 2004, but after much negative publicity, shut down the company and rebranded as Zerodium. The only change was in name and client base; while previously they would sell their vulnerabilities to law enforcement agencies, their new business model was limited to governments around the world.

Source: https://zerodium.com/program.html

The Zerodium process follows the steps above. Security Researchers and white hat hackers identify vulnerabilities and submit to Zerodium using their online platform. Payments are made within a week of the code evaluation and can be massive in size. One critical zero-day mobile vulnerability will net the researcher up to $2,500,000. As of Oct 2021, Zerodium touts that they have a platform of 1500 security researchers, 10,000 submissions, and $50M paid in bounties for an average of ~$5,000 per vulnerability.

Source: https://zerodium.com/program.html

After Zerodium sources their vulnerabilities, they go around and try to sell it to their customer. The critical question is who are Zerodium’s customers? There is no public list, as the company prides itself in confidentiality, however, it does state that their customers are “government institutions (mainly from Europe and North America) in need of advanced zero-day exploits and cybersecurity capabilities.” Zerodium has been linked to a few high-profile attacks perpetrated by foreign government agencies. Some organizations claim that the zero-day attack performed on UAE blogger Ahmed Mansoor, was sourced by Zerodium and sold to the United Arab Emirates government. It may not be possible to follow where vulnerabilities are sourced from, as Zerodium is purposefully working in the shadows. However, given the size of the bounties that Zerodium can pay out to researchers, it’s obvious that they’ve had success with their business model.

Picture yourself as a security researcher who’s just identified a critical zero-day vulnerability on the android platform. You know that Google would pay their max amount for this, a whopping $1,000,000, but at the same time, Zerodium would pay you $2,500,000. Both are legal avenues, but hold different ethical implications. Zerodium’s customer would likely be a government institution that uses that vulnerability to gain backdoor access to their citizen’s cell phone data. I suppose it’s a question of how much are your ethics and morals worth? Maybe $2.5M isn’t enough for you right now, but Zerodium keeps increasing their bounty amounts, it seems like it’s only time until they hit that number that would tip the scale.

On October 20, 2021, the US government announced that they will begin controlling the export of tools that can be used in cybersecurity attacks against citizens. The new laws are directly referencing zero-day vulnerabilities being exported to international governments. While this may affect Zerodium’s business model, there are other players internationally that are not covered under the new laws and will be able to continue providing sourced zero-day vulnerabilities to foreign governments and potentially criminal organizations as well.

If we take a step back, we can see that companies like Zerodium and others have been an unintended consequence of digital transformation. The big push to create bug bounty programs and publicize vulnerabilities to improve the security posture of the internet has backfired. While vulnerabilities are being identified, they are not making its way to the vendor who can enact the changes required. Instead, they are making its way to governments or criminal organizations that are then exploiting the vulnerability on their victims. The potential saving grace is that researchers appear to be chasing money instead of mayhem. While Zerodium is currently able to provide bigger payments, there is a potential future where private companies will begin increasing bounty payments to compete with the industry. Until that day, we’re all a little more vulnerable to these practices.

Sources:
https://rsf.org/en/news/rsf-unveils-202020-list-press-freedoms-digital-predators
https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
https://en.wikipedia.org/wiki/Vupen
https://zerodium.com/program.html
https://threatpost.com/us-ban-cyberattack-tools-zerodium/175654/
https://www.commerce.gov/news/press-releases/2021/10/commerce-tightens-export-controls-items-used-surveillance-private

14 comments

  1. This is an interesting topic, and feels quite wild-westy still…. A couple of questions for you:
    1) What’s your personal opinion on Zerodium and it’s future? Do you think what they’re doing is net helpful/harmful?
    2) Do you think the US government has the tools and knowledge to keep up with regulating or monitoring them? We’ve seen in the past that the government has a tough time keeping up with tech companies
    3) To your last point, is there any reason why companies like Google aren’t willing to pay as much in bounty payments as governments? You’d think they’d have a serious interest in improving their software.
    Good stuff!

    1. 1) I think I threw in some of my opinions throughout this post, but I’m definitely against this business model. Not only are they increasing the longevity of vulnerabilities which could be identified by a criminal. They’re also selling them to governments who will be using these against their citizens or foreign citizens; it’s a double whammy.
      2) I think the US government could definitely subpoena this company and get access to the data and vulnerabilities they’ve bought and sold. I don’t know what laws they have broken to be able to do that. The only law that would affect them was passed 2 weeks ago, and the only limitation is essentially that the customer has to be on a list of approved customers for US government exports; which is fairly large. This shouldn’t concern them too greatly.
      3) This is a great question, and it’s tough to say. The obvious answer is that they don’t feel that a vulnerability that’s exposed will negatively affect them enough to warrant the higher sums of money required to improve your bug bounty program. It’s really impossible to say if they’re paying enough, or if they’re overpaying as of right now. How could you possibly identify the potential fallout from an undiscovered vulnerability? As you say, we’re in the wild-wild west, and it may never be possible to get out of it.

  2. Great post Olger! If it wasn’t coming from you, I would think that the idea of Zerodium is some evil organization in a movie or TV show. It is definitely interesting in how much capital they are able to get due to just some vulnerabilities in code. Nothing they are doing seems illegal, but definitely unethical. You have to wonder how long it would ever take regulations to catch up to this framework of business to put a halt to this.

  3. Wow thanks for sharing this… I had no idea there were such booming “mini” marketplaces for identifying cyber weaknesses like Bugcrowd. The market vs ethics implications you discuss are really the billion dollar question. The bugs and loopholes the company identifies are obviously important enough to lure buyers that can off far more than current companies and even our government would pay. And in a purely free-market system, it is within their right to continue this business model. If that continues to be a barrier to preventing these bugs from getting into the wrong hands though, I think the government needs to speed up their regulation creation to enact some sort of laws against selling proven cyber weakness to potential state enemies or rogues. Perhaps some sort of federal “vetting” of potential customers.

  4. Olger, I love the themes and your commitment to this identity. I have to be honest this all seems so wild to me and that this sort of company even exists makes me grateful there is this class and people like you to explain it.

    We keep discussing this in the scope of all of the data in gigantic companies, but I would have to imagine that something like this would be and probably is present for academic institutions. I am trying to imagine the situation it would create (leaking student data, leaking admissions data perhaps?) While every school does something different, I have to imagine the ivy league or other prestigious institutions wouldn’t want that shared out. Here’s to hoping BC has a secure system so our information stays safe, but with Eagle Apps, it does not give me confidence.

  5. I knew there were competitions for identifying bugs that awarded money, but I did not know about Zerodium and this new business model. Thanks for enlightening me! For me, lots to worry about, many of which you mentioned in the blog. I predict that the client list will leak eventually, but I also predict that gov’t agencies will have shrouded their identity in some way. Seems this is a great example within the digital transformation lens of ethics vs. the marketplace (as @bryanglick1 pointed out).

  6. Personally, I appreciate your consistency because I know what to expect and each blog you do is another layer of learning. While reading this blog I thought back to about a year ago when the accounting platform my firm uses had to be taken offline for an urgent patch that had to be done. Usually patching would be done over the weekend so the fact that it happened mid-week, mid-day is likely a critical vulnerability. I took a trip over to Zerodiums Twitter page and it’s pretty entertaining. Wild how some days like 9/14/21 they decided to double their bounty for Chrome chains to 1mm. It looks like they only Tweet about once a month as well which is interesting. “We pay BIG bounties, not bug bounties!” – what a slogan.

  7. Posts like these are why I signed up for this class. I see a lot of similarities between this company and private military contractors. Since the company controls the market, I do wonder what exploits they don’t sell publicly on the marketplace at the benefit or detriment of citizens.

  8. I think this approach is fascinating and could be used for really good projects. However, I also think incentivizing unethical behaviors for pay could be controversial. I could see a time when this company, or another type of bug bounty program, ends up paying a very ill-intentioned person or group for finding a vulnerability. I know the US has started to regulate this type of operation, but as I said initially, I do think there are extremely beneficial ways this technology can be of great use.

  9. Olger, I put this in the “head spinning” category of blog posts–and that’s a good thing, by the way! As many have noted, it seems like something out of the movies — like Men in Black combined with The Fall Guy (I’m dating myself again!)

    I’m thinking of Parker’s musing of the client list getting leaked and oh boy… I wouldn’t want to be caught in that crossfire.

  10. Wow this is an incredible post. I’ve never heard of Zerodium before and I’m really surprised of how their business model is still currently legal. It’s also interesting to see that their number one clients are government agencies across the world, who have the capital to pay such fees for vulnerabilities. I wonder, if companies paid Zerodium before the vulnerability is sold, could our data be more protected?

  11. Love that this is another technical deep-dive, why not push for CISO for 2025! In my professional role I’m charged with ownership of our platform’s software development life-cycle (SDLC) which has included more and more security requirements in recent years. We utilize white source and a handful of other tools in-house, while also performing Pen-testing (https://en.wikipedia.org/wiki/Penetration_test) on our latest releases. I’d be curious to hear your thoughts on things like a bug-bounty program and whether this actually brings forth unwanted risk or attention to your systems.

  12. Long live the man-bun! Thank you for exploring these insightful and truly eye-opening topics. Even if I still am having a hard time wrapping my head around this whole sub-universe, I’m grateful there are experts like you who understand the ins and outs to help the rest of us. I’m curious if these bounties are built into companies’ cybersecurity budgets or factored into their strategies?

  13. Well, at least I know that I liked the post above before now. I actually think that unintended consequences are one of the more fascinating aspects of digital tech. It happens all the time that a technological solution or policy intended to accomplish one thing actually does the other. A great example is texting while driving rules, which often increase accidents because people take pains to hide their texting activity, which is even less safe. Add bug bounties to that list now, I guess. Nice post!

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: