- August 12, 2015
- Info notes
Zero-Day vulnerabilities and exploits (hereafter indiscriminately referred to as Zero-Days) have become precious assets for a wide range of actors for legitimate and illegitimate purposes. Whilst previously confined to underground criminal forums, business activities around Zero-Days are increasingly popular among security circles. The present note describes this emerging market.
The Zero-Day market
The diagram above illustrates the actors involved in the business of Zero-Days.
As shown in figure 1, security researchers who uncovered a Zero-Day have several disclosure options to choose from, depending on their ethics and appetite for profit.
First, researchers may disclose the vulnerability responsibly to the vendor, though not all vendors have policies to facilitate this process.
Vendors did not offer any compensation for such disclosures initially, however several have launched rewards programmes to encourage researchers to find and reveal vulnerabilities, as early as 1995. Indeed, such programmes can be more cost-efficient than hiring experts, notably in the early life of a software. Rewards range from reputation credits, as in the case of Adobe, to large sums of money: up to 3,000$ for Mozilla, 20,000$ for Google and 100,000$ for Microsoft.
Another increasingly popular way for vendors to find and patch vulnerabilities is to register their software in hacking contests such as Battlehack or Pwn2own where participants are rewarded when they successfully exploit vulnerabilities in the software. At the last edition of Pwn2own, one single individual won 225,000$. In 2014, French security company Vupen used a total of 11 Zero-Days to earn close to 400,000$. Despite their popularity, one must consider that because of the significant amounts of money at stake and the fact that such contests are only organised periodically, vulnerabilities found during research are only used then, remaining unpatched for several weeks or months.
Companies such as Vupen, Hacking Team or FinFisher, which sell spyware suites, rely upon Zero-Days for their business activities. As such, they buy exploits that have been found by security researchers and package them into advanced security products to sell to their clients, whose needs are not always legitimate. A single Zero-Day, depending on its criticality, may be sold to such companies for up to several hundred thousand dollars, while packaged products such as RCS from Hacking Team are bought by governments for several millions.
In the face of such large amounts of money and the numerous risks faced by both sellers and buyers (exclusivity, misuse, legal persecutions, divulgation, etc.), specialized brokers have started to emerge, such as Netragard, Vulnerability Brokerage International (VBI) or Mitnick Security. Increasingly, stock market rules find parallels in the Zero-Day market, with value volatility, profit based software attractiveness for researchers and insider trading. Nevertheless, few rules govern business activities in the latter market and anyway, they are difficult to enforce so that both companies such as Hacking Team or brokers such as VBI use this situation to their advantage.
Lastly, an unregulated market also benefits criminals who can easily buy Zero-Days and use them in profitable cyberattacks. The revival of the infamous Darkode forum in July 2015, less than two weeks after its takedown, is evidence of such interest.
Further regulating the market would limit the risks of Zero-Days being purchased for such activities and restrict their use to legitimate purposes.
The monetization of vulnerability research findings and in this respect of Zero-Days, was inevitable, and so seems the decrease in cash-free responsible vulnerability disclosure. The rapid growth of the unregulated Zero-Day market is worrisome. Though discussions are ongoing, the Wassenaar arrangement on export controls for conventional arms and dual use goods and technologies, currently leaves Zero-Days out of it scope. An info note addressing this topic will be released shortly.
Implement a secure development process;
Implement a vulnerability disclosure policy;
Provide incentives for security researchers to search and disclose vulnerabilities responsibly;
For vendors with limited resources, the vulnerability disclosure process can be outsourced to specialized companies.
For security researchers:
Disclose the full details of the vulnerability first to the vendor and provide the latter with sufficient time to develop a corrective patch;
Let the public know enough so that the risk can be mitigated, but not enough for the vulnerability to be exploited in an attack;
Partial to full public disclosure might force the hand of a vendor which ignored the previous steps, though in most cases full details about the vulnerability should only be revealed publicly once patched by the vendor.
For policy makers:
Consider strengthening the legal framework governing the Zero-Day market to prevent abuses.
RFC proposal on Responsible Vulnerability Disclosure;
About “Info Notes” from ENISA
With the “Info Notes” series ENISA aims at giving the interested reader some background and recommendations about NIS related topics. The background and recommendations are derived from past experiences and common sense, and should be taken as starting points for discussions on possible course of action by relevant stakeholders. Feel free to get in touch with ENISA to discuss or inquire more information on the “Info Notes” series (firstname.lastname@example.org).