Offensive Cyber Working Group

By Max Smeets

Zero-day exploits expose a previously unknown vulnerability. They can be especially powerful for gaining access to computer systems or escalating privileges within the system.

Zero-day exploit brokers often publicly advertise what they pay out to developers for their new vulnerability discoveries. You can find detailed price lists online that tell you exactly how much money you can get for what type of exploit.

In recent years, these changes in advertised prices have been used by many commentators as a key source to understand the trends in the zero-day exploit market. For example, the media has written about the fact that you can get a reward of over a million dollars if you ensure access to an iPhone – finding a way to hack Android devices can be even more lucrative.

Yet, in reality, these publicly advertised payouts are bad indicators of market trends – and can be highly deceiving. There are often significant discrepancies between the advertised price and the actual bounty price. That is because the brokers play a signaling game involving multiple audiences.

Buying zero-days and the role of brokers

To aid their hacking activities, some government agencies (and other organisations) are frequent customers in the market for zero-day exploits.

A state can buy an exploit directly from the developers, often informally called ‘bug hunters’. But, as I explained in this Lawfare piece, it is more common that the sale goes through an exploit broker or platform that acquires original and previously unreported zero-day research from the bug hunters – and then sell it on to customers.

“Buying exploits through a broker reduces the number of parties a government organization has to engage with, allowing them to more easily vet the selling party and develop a long-term business relationship”, I previously noted.  These exploit brokers and platforms exist across the world.

The role of brokers

A particularly well-known exploit acquisition platform based in Washington DC is Zerodium (its predecessor was Vupen). Zerodium resells zero-day exploits for a wide range of operating systems, web browsers, email servers, and other applications. It provides a detailed list on the website as to what it pays out to developers for a certain exploit.

The payout for security researchers submitting fully functional exploits for mobile devices to the company are especially high. In 2015, Zerodium’s inaugural year, the platform would pay a bounty of up to $500,000 for a remote jailbreak of an iPhone (jailbreaking is a former of privilege escalation which removes software restrictions, permitting access to the operating system of the device). A year later, it doubled the maximum bounty to $1 million on iOS vulnerabilities. Soon after, Zerodium announced that it offers bounties of up to $1.5 million for this type of exploit. It also increased the payout for an Android exploit from $100,000 in 2015, to $200,000 in 2017, and ultimately to $2.5 million in the last year.

The payouts for zero-days offered by these platforms to bug hunters are often publicly advertised and seem to get fatter by the day. The media frequently reports on the spikes in the public price listings of exploits of Zerodium and academic studies have also started to build databases to analyse the market.

Yet, using these public listings to cover trends in the exploit market is highly problematic.

Signalling to multiple audiences

Exploit acquisition platforms use the listed prices to signal to multiple audiences.

First, an exploit acquisition platform wants to signal to the exploit sellers: ‘don’t sell them to another broker, sell them to us.’ This can lead to secondary effects in which the messages drive up the (public) prices for other brokers, in a space where exploit developers may try to sell their exploit to different brokers.

Similarly, the exploit acquisition platform also wants to signal to the exploit sellers: ‘don’t sell them to the vendor, sell them to us.’ Last, the exploit acquisition platform wants to signal to the exploit buyers: ‘look, we pay high prices for the exploits to developers, we have to charge you high prices if you want to buy them from us.’

Hacking can make you rich. However, the sums involved might not be as high as the ones you see in the news.

—

This essay is adapted from No Shortcuts: Why States Struggle to Develop a Military Cyber Force

Max Smeets is a Senior Researcher at the Center for Security Studies (CSS) at ETH Zurich, Director of the European Cyber Conflict Research Initiative, and author of ‘No Shortcuts: Why States Struggle to Develop a Military Cyber-Force’, published with Oxford University Press and Hurst in May 2022.