Would you pay $300,000 dollars for a zero-day exploit like the Heartbleed bug? Well, somebody does, and it’s not the traditional hacker bad guys. They don’t have this kind of money. But before we get into the buyers, let’s see what they get for their money.
First of all, they get exclusive rights to the exploit and all updates. They are also promised that the original maker of the software, the vendor, is not informed of the vulnerability that exists in the exploited software. The company that made the software isn’t aware of this flaw so they cannot apply a patch that would help their regular customers remain secure. The longer the flaw remains undiscovered, the more the buyer of the exploit will pay. This is because payment will be made in installments over time. An early patch by the vendor limits the time the exploit can be used and will, subsequently, lower the price. After a previously agreed upon time limit, generally at least 6 months, the vendor can be informed of the flaw. But not only does the seller of these exploits make money from the initial sale, they make money by selling the flaw it found to the original vendor.
In the past, zero-day exploits were a product of the deep web and their customers were hackers. Nowadays, the only ones who can afford the high prices for these exploits are western governments. The sellers operated in the black market until it became clear to them that they could form companies and make far more money in the legitimate market. You can readily find them selling their wares on your regular internet. These companies claim that they only sell to governments, defense departments, or law enforcement agencies of trusted countries. However, most experts agree that they keep one foot in the deep web and employ old hacker friends to help them design these exploits.
While these companies are allowing those buying their exploits to gather information, the general public is left uninformed until it is too late. Some would say this is unethical conduct. Others claim it is unethical to sell the information about vulnerabilities back to the vendor after the flaw has already been exploited. When hackers of the zero-exploit company, Vulpen, found vulnerabilities in Google’s Chrome, Google offered them $60,000 if they would disclose the vulnerability. The offer was laughed at. “We wouldn’t share this with Google for even $1 million,” says Bekrar, chief hacker and executive at Vupen. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.” Another hacker remarked, “I refuse to deal with anything below mid-five-figures these days.”
Here are two price lists. The first is what Google pays for bugs found in its software.
The next chart shows the price for zero-day exploits for various software. Since the time this list was made (2012), prices have dramatically increased due to demand. However, the point is to see the difference between the two payment systems
Which system would you prefer to be paid in?
This money-driven attitude has led to an even scarier scenario. As Bruce Schneier pointed out in a Forbes article, “it gives software programmers within a company the incentive to deliberately create vulnerabilities in the products they’re working on — and then secretly sell them to some government agency.” Or sell them to companies like Vulpen who can act as middlemen.
Within the above described scenario, one can see the blueprint for a potential Heartbleed bug conspiracy. Even Robin Seggelmann, the German software developer, who admits making the coding error in his SSL patch, understands that such speculation is logical. “Despite denying he put the bug into the code intentionally, he said it was entirely possible intelligence agencies had been making use of it over the past two years.
‘It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know [about] the bug until it was released and [I am] not affiliated with any agency, I can only speculate.’”
To add to the conspiracy theory, Heartbleed can be used to gather information, suggesting a government or law enforcement buyer, if there was a buyer. In addition, it remained undiscovered for two years, and the vulnerability it exploited was only exposed when Windows XP stopped being supported and, therefore, would become a major target for hackers. This could all be used to suggest, in a conspiracy theory, that those who used the vulnerability agreed to a contract within certain limits, with an endpoint that would correspond with a distracting security story. The vulnerability could have been discovered years ago and sold to an interested buyer, but the only person we know of who made money on this bug was Neel Mehta, who was paid $15,000 by Google for discovering it.
But this is all just idle speculation. The point is that the infrastructure does exist in the gray market to make such a scenario plausible, and since it is plausible and possible, the day will inevitably come when this gray market mechanism is put to use…if it already hasn’t been.