Black market for software security flaws reaches new highs

The black market in previously undiscovered vulnerabilities in commercial software is so established that the average flaw sells for up to $160,000

The black market in previously undiscovered vulnerabilities in commercial software is now so established, the average flaw sells for up to $160,000.

One supplier of such so-called “zero-day” vulnerabilities charges customers an annual $100,000 subscription fee, and then further charges per sale, according to the New York Times (NYT).

Costs depend on the sophistication of the vulnerability and the pervasiveness of the operating system or commercial software concerned.

In an attempt to counter this rapidly growing problem, many technology companies have started “bug bounty” reward programmes.

Last month, Microsoft finally joined Google, Paypal, Facebook  and the Mozilla Foundation in offering cash rewards to prevent bug finders turning to the black market.

But Microsoft, which has stopped short of offering similar cash rewards before, was forced to come in with an offer of $100,000 for exploitation techniques against protections built into Windows 8.

Google, which recently upped its bounty to $20,000, and Facebook, which has so far paid only up to $20,000 for a single bug, may have to rethink their bug bounty programmes to remain effective.

The market is being driven upward by the increasing participation of governments eager to stay one step ahead of their rivals, according to the NYT report.

Top buyers of software flaws include the US, UK, Israel, Russia, India, Brazil, North Korea, Malaysia and Singapore, the paper said.

This is especially worrying in the light of the fact that some of these black market suppliers specialise in vulnerabilities in industrial control systems that can be used to access or disrupt national utilities such as electricity or water.

The rapid growth of the market for software vulnerabilities presents a serious challenge to commercial software producers. It also underlines the growing importance of supply chain security.

More on zero-day vulnerabilities and exploits

Oracle rushes out patches for Java zero days

Disable Java to protect from latest zero-day

Microsoft issues quick fix for IE zero-day vulnerability

Microsoft investigates IE zero-day flaw

Zero-day exploit for Yahoo Mail goes on sale

MySQL security analysis: Mitigating MySQL zero-day flaws

Private market growing for zero-day exploits and vulnerabilities

Adobe investigates zero-day that bypasses Reader X sandbox

Responding to the NYT report, Jeremiah Grossman, founder and CTO of WhiteHat Security said huge black market rewards are likely to tempt rogue developers to plant bugs in software.

“It is hard enough to find vulnerabilities in source code when developers are not purposely trying to hide them," he said.

Supply chain security has become an increasing priority as cyber attackers have also turned to infiltrating weakly defended companies to work their way up or down the supply chain to their end target.

In response to this concern, the UK’s Ministry of Defence has teamed up with nine large defence firms and telecoms providers to set up the Defence Cyber Protection Partnership (DCPP).

The DCPP is the latest in a series of cyber security initiatives by the government since cyber threats were categorised as one of the national defence priorities in 2010.

The partnership will look to implement controls and share threat intelligence to increase the security of the defence supply chain.

Read more on Hackers and cybercrime prevention