Hacker
Professional
- Messages
- 1,041
- Reaction score
- 852
- Points
- 113
Obverse side of the medal
Bug, hole, vulnerability, split - oh, these words are so cute to the hacker heart! However, it turns out that they are not only nice to hackers, testers and others like them - there are also people who earn a lot of money from these very holes.
First, let me tell you about the legal side of the issue, that is, about the official, "white" market. It was formed a long time ago, and this phenomenon is by no means new. To understand why, just ask the following questions: "When did computers gain wide popularity and become a mass phenomenon?", "How long ago did such concepts as software and a hole appear?" Approximately at the same time as these events, the market for finding, buying and selling vulnerabilities was born quite naturally. Demand, as you know, creates supply.
Today, there are many major players in this business. Who is even interested in buying vulnerabilities? These are government agencies, suppliers of various commercial tools, large pentester and consulting companies, individuals, and many others.
If we talk about well-known and already proven names in this area, then, perhaps, as an example, we can cite such companies as iDefense, SnoSoft and VUPEN.
Unfortunately, it is not possible to name specific prices for different holes, because the price here is determined by a combination of many factors. For example, you found a hole in IE, how much does it cost?
Цена спокойно может колебаться от $5 000 до $250 000, ведь на стоимость бага влияет все: насколько широко распространено «дырявое» приложение, много ли людей знает об уязвимости, насколько сложно было найти баг. Не менее важны и другие нюансы, которых насчитываются десятки — например, включено ли приложение по дефолту в состав ОС, найден ли баг в серверной части приложения или в клиентской, требуется ли аутентификация для использования дырки, хорошо ли файрволы справляются с защитой уязвимой софтины, потребуется ли для работы эксплойта «помощь» пользователя и так далее, и тому подобное.
So, let's pretend that you found a bug.
Where to run with it? I'll probably make you sad, but I don't think you'll be able to get the hole out of your hands quickly and get paid for it. In any case, legally. A legitimate sale takes an average of one to four months, and sometimes this process stretches for a longer period of time.
First, you need to understand how much your find is worth and who can profitably sell it to. The fact is that software manufacturers themselves rarely buy bugs. No, of course, you've probably heard that Mozilla is willing to pay $3,000 for bugs in Firefox, and Google is willing to fork out $3,133. 70 for vulnerabilities in its Chrome browser (1337 is the word elite, written by litspich). But this is rather an exception to the rules and a PR move, rather than a common practice.
Those who are seriously willing to buy holes are listed above. But even here, everything is not as smooth as it seems. After all, it is often impossible to simply take and post all the information about the bug to the buyer, especially if the bug is new, "promising" - there is a risk of being left without information and without money. Thus, it turns out that even correctly describing and presenting your vulnerability without giving it away completely is already a whole science.
Major market players who buy vulnerabilities and exploits generally have their own special programs to buy bugs, such as Zero Day Initiative (zerodayinitiative.com) from Tripping Point, Snosoft program (snosoft.blogspot.com) или iDefense Vulnerability Contributor Program. Most often, such projects use the "bug first, then money" scheme. In other words, you will be required to provide all information to the buyer before making the transaction.
If this situation does not suit you, you are sure that your bug is valuable and for some reason you do not want to contact "dealers-resellers", you can try to find a buyer yourself. But be prepared for a long ordeal and involve third parties in the transaction as an intermediary.
By the way, the latter can be relevant even for the black market: after all, as already mentioned, correctly describing, presenting, and even more so demonstrating your vulnerability to the buyer is not the easiest task. Many people prefer to play it safe.
The reverse side of the coin
As Chris Kaspersky, with whom we discussed this issue, correctly pointed out: "The law does not prohibit trading holes." This is absolutely true, except that in some countries there are certain prohibitions-in Germany, for example, freedom of action in this area is somewhat limited.
If in the old days one of the main motivations of bug seekers was prestige and coolness, today the main driving force, of course, is money.
In fact, a computer security specialist or hacker has a lot of options for behavior after they find a bug. You can honestly report it to the developer, you can put it on public display, you can add a beautiful line to your resume, or you can sell it. Legal or not. And it is precisely the thirst for profit that leads us to one very funny aspect of this market — vulnerabilities are often sold more than once.
The main buyers of holes are medium-sized companies working in the field of IT security. They almost never work with private individuals — their reputation is more expensive. Buying and selling takes place, so to speak,at the top level - a legal entity with a legal entity. However, the main openers of holes are just individuals, and outright hackers-breakers.
To mediate between the former and the latter, you need offices like iDefense. But here's the problem-it's still very problematic to control hackers-breakers. Let's say a person found exclusive information about a certain hole and sold it to one of the big buyers. And then I sat and thought about it and quietly resold it again. And what to do with it? Not to kill, after all. Yes, of course, you will say that in order to avoid this, it is enough just to register the corresponding clause in the contract, but this does not save either.
Even if the contract provides for the complete removal of all information about the hole or exploit by the seller after the transaction, and also implies the transfer of all rights to this information to the buyer, unfortunately, it is impossible to erase information about the find from the seller's head. There is no guarantee that he will not recover all the data later and sell it out from under the floor to someone else. In fact, the buyer of the bug is practically defenseless in this matter, even the harsh US legislation is almost powerless here.
Of course, you can always file a lawsuit and try to figure it out, but, as practice shows, almost no one does this. Meanwhile, you can find ads for selling, buying, or searching for exploits and bugs on many websites and forums in the purchase and sale sections. Often, all this is generally in the public domain. You probably know the addresses of such resources yourself, but offhand I can name at least alligator. cash
In Russia and Ukraine, the situation with the "bug market" is generally quite sad - vulnerabilities are sold mainly by hand, or bug detectors work on order at all. For example, our brother is paid about $200-350 a day to reverse patches, and it usually takes about a week to do everything. By global standards, such prices can only be described by the phrase "like slaves on a plantation", but for Russians this is good money, especially since the most illegal part of this business is tax evasion.
But the myth that the" bad guys " from the hacker underground are willing to pay fabulous sums for serious vulnerabilities is exactly a myth. No, history has certainly known exceptions, but believe me, there were only a few of them. Basically, those who are engaged in cybercrime on a large scale are content with the services of their own craftsmen - those very "slaves on the plantation". Teams of such reversers also have to pay much less, and you can set specific tasks for them.
Who buys holes and why
Yes, demand creates supply, but who creates this demand? Without particularly lying to the soul, you can answer - everything. Software developers, pentesters, information security specialists, hackers, and many other people are interested in fresh vulnerabilities. It is best to explain with examples.
Pentesters, for example, are not only in demand for new holes. These guys need everything - after all, they are, so to speak, "for the kit". Pentesters use everything they can to simulate attacks: the trick is that a normal IPS (Intrusion Prevention System) swears at all attack attempts, even if the system is patched and the attack is broken.
That is, if you make an attack attempt, and the admin turned on the sniffer, then he will see through the chip. But what if the admin gets 100,000 alerts in the log? And let all these 100,000 are old and outdated holes, but try to figure out how they were attacked after all. So pentesters need a good exploit pack, and even if the hole has been patched up for a year, it is still useful to them.
Such a contingent is served by companies like Immunity, Core Security, and Rapid7, whose tools include exploits with holes, among other things. By the way, pentesters do not disdain buying bugs from private individuals. They will pay less than large buyers, but they are not particularly picky in their choice.
With companies at the forefront of computer security, the situation is reversed. Imagine: a client bought an IPS of a certain company, and this IPS does not see or reflect new attacks. Of course, it smells like money thrown away, ships and other unpleasant things.
So it is vital for secure companies to learn about vulnerabilities as quickly as possible. Such companies not only buy holes for money, but also hire their own specialists-pawnmasters. Besides, there are connections.
All more or less large market players work closely with manufacturers and their problems. They see the ends. Smaller players who do not have a wide web of connections and money for regular reversers are forced to buy information about holes, just like other "ordinary mortals".
Software manufacturers, in turn, have nowhere to rush at all. Think for yourself, what does the same Microsoft usually say when they are asked about holes? That's right, MS says something like " okay, we thought about it and decided to release an unscheduled patch, because, yes, the planet is on fire, everything is on fire, and even we noticed it." Moreover, manufacturers (even those who are serious about these issues) get information about holes mostly for free, without straining.
The scheme is simple: someone found a hole, was happy and quietly sold it to a certain cool-hacker, who, in turn, used this hole to attack the "big fish". The admin of "big fish" turned out to be no fool - he has a lot of sniffers and loggers. After registering the attack, he sent all the data to the hacker company.
The hacker company, by its internal mutual agreements, immediately informed the software manufacturer that a vulnerability was found in its product. Thus, this is only the first real operation of the bug, and information about it has already reached the manufacturer. Yes, of course, if the manufacturer will fuss himself - he will buy time.
But why? It will still take some time to create a patch, and the manufacturer almost never bears any real losses from holes. So, it turns out that the vulnerability will still be found out. And still it will have to be fixed. But it doesn't make sense for the manufacturer to pay to find out about it first. That is why Mozilla and Google's proposals are just ordinary PR, especially since they determine the" coolness " of the hole themselves.
Finally, I note that everything is not as scary as it may seem. On the one hand, there are countless holes in modern software, they cost quite a lot of money, are sold and resold from hand to hand, and are also very slowly patched. On the other hand, do not forget that in reality, a negligible percentage of these vulnerabilities are used for mass and serious attacks. Statistics, you see, say that hackers are mostly lazy to the point of horror.
Bug, hole, vulnerability, split - oh, these words are so cute to the hacker heart! However, it turns out that they are not only nice to hackers, testers and others like them - there are also people who earn a lot of money from these very holes.
First, let me tell you about the legal side of the issue, that is, about the official, "white" market. It was formed a long time ago, and this phenomenon is by no means new. To understand why, just ask the following questions: "When did computers gain wide popularity and become a mass phenomenon?", "How long ago did such concepts as software and a hole appear?" Approximately at the same time as these events, the market for finding, buying and selling vulnerabilities was born quite naturally. Demand, as you know, creates supply.
Today, there are many major players in this business. Who is even interested in buying vulnerabilities? These are government agencies, suppliers of various commercial tools, large pentester and consulting companies, individuals, and many others.
If we talk about well-known and already proven names in this area, then, perhaps, as an example, we can cite such companies as iDefense, SnoSoft and VUPEN.
Unfortunately, it is not possible to name specific prices for different holes, because the price here is determined by a combination of many factors. For example, you found a hole in IE, how much does it cost?
Цена спокойно может колебаться от $5 000 до $250 000, ведь на стоимость бага влияет все: насколько широко распространено «дырявое» приложение, много ли людей знает об уязвимости, насколько сложно было найти баг. Не менее важны и другие нюансы, которых насчитываются десятки — например, включено ли приложение по дефолту в состав ОС, найден ли баг в серверной части приложения или в клиентской, требуется ли аутентификация для использования дырки, хорошо ли файрволы справляются с защитой уязвимой софтины, потребуется ли для работы эксплойта «помощь» пользователя и так далее, и тому подобное.
So, let's pretend that you found a bug.
Where to run with it? I'll probably make you sad, but I don't think you'll be able to get the hole out of your hands quickly and get paid for it. In any case, legally. A legitimate sale takes an average of one to four months, and sometimes this process stretches for a longer period of time.
First, you need to understand how much your find is worth and who can profitably sell it to. The fact is that software manufacturers themselves rarely buy bugs. No, of course, you've probably heard that Mozilla is willing to pay $3,000 for bugs in Firefox, and Google is willing to fork out $3,133. 70 for vulnerabilities in its Chrome browser (1337 is the word elite, written by litspich). But this is rather an exception to the rules and a PR move, rather than a common practice.
Those who are seriously willing to buy holes are listed above. But even here, everything is not as smooth as it seems. After all, it is often impossible to simply take and post all the information about the bug to the buyer, especially if the bug is new, "promising" - there is a risk of being left without information and without money. Thus, it turns out that even correctly describing and presenting your vulnerability without giving it away completely is already a whole science.
Major market players who buy vulnerabilities and exploits generally have their own special programs to buy bugs, such as Zero Day Initiative (zerodayinitiative.com) from Tripping Point, Snosoft program (snosoft.blogspot.com) или iDefense Vulnerability Contributor Program. Most often, such projects use the "bug first, then money" scheme. In other words, you will be required to provide all information to the buyer before making the transaction.
If this situation does not suit you, you are sure that your bug is valuable and for some reason you do not want to contact "dealers-resellers", you can try to find a buyer yourself. But be prepared for a long ordeal and involve third parties in the transaction as an intermediary.
By the way, the latter can be relevant even for the black market: after all, as already mentioned, correctly describing, presenting, and even more so demonstrating your vulnerability to the buyer is not the easiest task. Many people prefer to play it safe.
The reverse side of the coin
As Chris Kaspersky, with whom we discussed this issue, correctly pointed out: "The law does not prohibit trading holes." This is absolutely true, except that in some countries there are certain prohibitions-in Germany, for example, freedom of action in this area is somewhat limited.
If in the old days one of the main motivations of bug seekers was prestige and coolness, today the main driving force, of course, is money.
In fact, a computer security specialist or hacker has a lot of options for behavior after they find a bug. You can honestly report it to the developer, you can put it on public display, you can add a beautiful line to your resume, or you can sell it. Legal or not. And it is precisely the thirst for profit that leads us to one very funny aspect of this market — vulnerabilities are often sold more than once.
The main buyers of holes are medium-sized companies working in the field of IT security. They almost never work with private individuals — their reputation is more expensive. Buying and selling takes place, so to speak,at the top level - a legal entity with a legal entity. However, the main openers of holes are just individuals, and outright hackers-breakers.
To mediate between the former and the latter, you need offices like iDefense. But here's the problem-it's still very problematic to control hackers-breakers. Let's say a person found exclusive information about a certain hole and sold it to one of the big buyers. And then I sat and thought about it and quietly resold it again. And what to do with it? Not to kill, after all. Yes, of course, you will say that in order to avoid this, it is enough just to register the corresponding clause in the contract, but this does not save either.
Even if the contract provides for the complete removal of all information about the hole or exploit by the seller after the transaction, and also implies the transfer of all rights to this information to the buyer, unfortunately, it is impossible to erase information about the find from the seller's head. There is no guarantee that he will not recover all the data later and sell it out from under the floor to someone else. In fact, the buyer of the bug is practically defenseless in this matter, even the harsh US legislation is almost powerless here.
Of course, you can always file a lawsuit and try to figure it out, but, as practice shows, almost no one does this. Meanwhile, you can find ads for selling, buying, or searching for exploits and bugs on many websites and forums in the purchase and sale sections. Often, all this is generally in the public domain. You probably know the addresses of such resources yourself, but offhand I can name at least alligator. cash
In Russia and Ukraine, the situation with the "bug market" is generally quite sad - vulnerabilities are sold mainly by hand, or bug detectors work on order at all. For example, our brother is paid about $200-350 a day to reverse patches, and it usually takes about a week to do everything. By global standards, such prices can only be described by the phrase "like slaves on a plantation", but for Russians this is good money, especially since the most illegal part of this business is tax evasion.
But the myth that the" bad guys " from the hacker underground are willing to pay fabulous sums for serious vulnerabilities is exactly a myth. No, history has certainly known exceptions, but believe me, there were only a few of them. Basically, those who are engaged in cybercrime on a large scale are content with the services of their own craftsmen - those very "slaves on the plantation". Teams of such reversers also have to pay much less, and you can set specific tasks for them.
Who buys holes and why
Yes, demand creates supply, but who creates this demand? Without particularly lying to the soul, you can answer - everything. Software developers, pentesters, information security specialists, hackers, and many other people are interested in fresh vulnerabilities. It is best to explain with examples.
Pentesters, for example, are not only in demand for new holes. These guys need everything - after all, they are, so to speak, "for the kit". Pentesters use everything they can to simulate attacks: the trick is that a normal IPS (Intrusion Prevention System) swears at all attack attempts, even if the system is patched and the attack is broken.
That is, if you make an attack attempt, and the admin turned on the sniffer, then he will see through the chip. But what if the admin gets 100,000 alerts in the log? And let all these 100,000 are old and outdated holes, but try to figure out how they were attacked after all. So pentesters need a good exploit pack, and even if the hole has been patched up for a year, it is still useful to them.
Such a contingent is served by companies like Immunity, Core Security, and Rapid7, whose tools include exploits with holes, among other things. By the way, pentesters do not disdain buying bugs from private individuals. They will pay less than large buyers, but they are not particularly picky in their choice.
With companies at the forefront of computer security, the situation is reversed. Imagine: a client bought an IPS of a certain company, and this IPS does not see or reflect new attacks. Of course, it smells like money thrown away, ships and other unpleasant things.
So it is vital for secure companies to learn about vulnerabilities as quickly as possible. Such companies not only buy holes for money, but also hire their own specialists-pawnmasters. Besides, there are connections.
All more or less large market players work closely with manufacturers and their problems. They see the ends. Smaller players who do not have a wide web of connections and money for regular reversers are forced to buy information about holes, just like other "ordinary mortals".
Software manufacturers, in turn, have nowhere to rush at all. Think for yourself, what does the same Microsoft usually say when they are asked about holes? That's right, MS says something like " okay, we thought about it and decided to release an unscheduled patch, because, yes, the planet is on fire, everything is on fire, and even we noticed it." Moreover, manufacturers (even those who are serious about these issues) get information about holes mostly for free, without straining.
The scheme is simple: someone found a hole, was happy and quietly sold it to a certain cool-hacker, who, in turn, used this hole to attack the "big fish". The admin of "big fish" turned out to be no fool - he has a lot of sniffers and loggers. After registering the attack, he sent all the data to the hacker company.
The hacker company, by its internal mutual agreements, immediately informed the software manufacturer that a vulnerability was found in its product. Thus, this is only the first real operation of the bug, and information about it has already reached the manufacturer. Yes, of course, if the manufacturer will fuss himself - he will buy time.
But why? It will still take some time to create a patch, and the manufacturer almost never bears any real losses from holes. So, it turns out that the vulnerability will still be found out. And still it will have to be fixed. But it doesn't make sense for the manufacturer to pay to find out about it first. That is why Mozilla and Google's proposals are just ordinary PR, especially since they determine the" coolness " of the hole themselves.
Finally, I note that everything is not as scary as it may seem. On the one hand, there are countless holes in modern software, they cost quite a lot of money, are sold and resold from hand to hand, and are also very slowly patched. On the other hand, do not forget that in reality, a negligible percentage of these vulnerabilities are used for mass and serious attacks. Statistics, you see, say that hackers are mostly lazy to the point of horror.
