Even as the FBI was looking for ways to bypass Apple’s security features to unlock an iPhone, a little known company was offering “to pay the highest rewards” for ways to exploit vulnerabilities in popular programs and had recently paid $1 million for a way to hack Apple’s latest iPhone operating system.
The company, Zerodium, was founded by French hacker Chaoki Bekrar, who first became prominent in security circles by winning hacking contests like Pwn2Own, to buy and sell previously unknown security bugs. These vulnerabilities are called zero-days because they’ve been publicly reported for “zero” days.
Bekrar says that Zerodium sells these vulnerabilities and “protective measures” to customers who use them “to stop attacks before they are exploited in the wild.” He adds that “some other customers use the research to conduct cybermissions and protect lives.”
Variants of so-called bug bounty programs are fast becoming a mainstream defensive security technique, and now include not only organizations which pay hackers who report vulnerabilities, but vulnerability disclosure programs, that neither penalize nor reward researchers for their discoveries. Over the past year, they’ve spread rapidly beyond Silicon Valley and are now offered by the likes of General Motors and the Pentagon.
But bug bounties have a dark side. Independent, unregulated marketplaces for vulnerabilities and exploits like Zerodium tend to compensate hackers more than official bug bounty programs. As far back as 2012, marketplaces for offensive bug bounties—where people can buy bugs they can then use against individuals, companies, and governments—could command a quarter of a million dollars for vulnerabilities on iOS.
“The value of vulnerabilities on the offensive side is a function of their scarcity and usefulness,” bug bounty expert Casey Ellis says. “There’s more money in offense than in defense.”
The dark side of bug bounties—or just a clearer picture?
Independent vulnerability marketplaces are controversial in the security industry. People have described Bekrar as the “Darth Vader” of cybersecurity, and some security researchers argue that organizations which buy vulnerabilities and then keep them open instead of fixing them are effectively weaponizing the exploits.
“There’s folks that are out there that play both sides,” says Ellis. “You can’t do anything about the hacker, but you can fix the vulnerability.”
The differences between hackers who sell exploits to unofficial marketplaces and conventional security researchers who focus on company-sponsored bug bounties are hardly black-and-white. Certainly Bekrar doesn’t see much difference.
“Helping customers to solve both cyberworld and real-world problems is definitely ethical,” he says.
Bekrar declined to say whether Zerodium has helped a company like Apple source vulnerabilities on its own systems. He also declined to address the weaponization concerns.
But he does point out ways in which Zerodium could perform a public good where a company-sponsored bug-bounty program couldn’t. In theory, a government agency investigating a criminal suspect could use a security bug it purchased from Zerodium or one of its competitors to access a suspect’s phone or laptop.
Bekrar says government agencies regularly purchase computer security vulnerabilities from companies like his. They need “access to unpatched flaws to properly conduct investigations and save lives without compromising the whole ecosystem,” he says.