海角大神

Modern field guide to security and privacy

Will $1 million iOS bug bounty compel Apple to pay for software flaws?

Zerodium, a firm that counts spy agencies as customers, has offered to pay $1 million for information about holes in Apple鈥檚 mobile operating system, alarming civil liberties advocates and highlighting Apple鈥檚 unwillingness to pay researchers for similar work.

|
Chaiwat Subprasom/Reuters
A sales assistant shows features of iOS 9 on an Apple iPhone 6 at an Apple reseller shop in Bangkok.

One million dollars is a princely sum to pay for a previously unknown 鈥 or "zero day" 鈥 software vulnerability, even for听one in Apple's mobile operating system.

But that's the carrot that newly formed cybersecurity firm Zerodium is dangling in front of hackers, researchers, developers, or anyone else who can deliver听a method听for听compromising the security of iOS or "jailbreak" it by defeating the company's听notoriously tough content protection technology.

The offer, announced听Monday,听sent ripples through a global marketplace in which听technology firms,听government agencies, even a few听cybercriminal听groups pay handsomely for exploits. It is also casting a harsh light on one notable holdout in that marketplace: Apple, the world's wealthiest corporation.听

In what amounts to a technology grey market, spy agencies buy vulnerabilities from brokers such as Zerodium to听use in attacks or defend themselves from other buyers.听In the business world, software firms will purchase information on vulnerabilities to patch products and protect their consumers.听But听Zerodium's "" raises the stakes in the bug-hunting marketplace to incredible new heights.听

Security researchers听and digital rights groups听alike听say the company's hunt for iOS vulnerabilities听threatens to听make security worse for everyone, setting off a gold rush for flaws in iOS 9 that could end up in the wrong hands. In comparison,听听鈥撎齝onsidered a high sum for a company to pay for bugs it plans to patch 鈥撎齪ales in comparison.

If his track record is any indication, that's what Zerodium founder听Chaouki Bekrar is banking on.听An offshoot of the French security firm VUPEN, which Mr. Bekrar also founded, Zerodium launched in July to听tailor the talents of top security researchers with clients looking for vulnerabilities.听At VUPEN, Bekrar employed some of the world鈥檚 best technical talent to uncover exploitable holes in commonly used software for the benefit of VUPEN鈥檚 clients.

In an e-mail, Bekrar described his current customers as "both Fortune 500 companies as well as three letter agencies." It is the latter that has digital rights groups concerned about his high-priced bounties.

"There are many experienced researchers already working on iOS exploits听or stockpiling iOS zero days for various reasons," he wrote. "We believe that听many of these talents will be attracted by the bounty and will definitely succeed."

That's troubling to听Andrew Crocker, a staff attorney at the Electronic Frontier Foundation, who has researched听the US government鈥檚 practice of buying information about software vulnerabilities. Using a Freedom of Information Act request, Mr. Crocker was able to get a copy of the听听鈥 the guidelines that the government and intelligence services use to acquire and deploy software vulnerabilities.

"It鈥檚 an open secret that the government uses vulnerabilities for both offensive and defensive purposes," said Crocker. "And this isn't just vulnerabilities they discover, but those they acquire from other sources."

Crocker said听that the听practice of buying vulnerabilities from vendors such as Zerodium presents many problems. The least of those is that buying the information has the potential to make听governments听complicit in allowing software vulnerabilities to fester. And, because nation-states or cybercriminals might discover the same holes, such activity may put the public at risk, he notes.

One way to counter this, experts say, is for Apple to join other leading technology firms in听paying researchers who discover flaws in its devices and software.听

"The only effective way to combat this is [to] open up their bug bounty," said听Mark Litchfield, founder of Bug Bounty HQ and one of the world鈥檚 top independent vulnerability researchers.

While competitors such as Google, Facebook, Twitter, and Microsoft have all launched vulnerability "bounty" programs in recent years, Apple has stuck to a policy of not paying for information about holes in its software. Instead, the company offers a "Hall of Fame,"听.

Top researchers note听that praise听on Apple鈥檚 website is a thin gruel when compared with the bounties paid by other tech firms. Information on vulnerabilities that听allow remote code execution can fetch $10,00 to $100,000 鈥 or more.

Apple is hardly the only prominent tech firm to abstain from cash rewards. Adobe and Oracle have also held back from launching that kind of program.听But with the world's most valuable (and visible) technology brand, and more than $200 billion in cash on hand, Apple is in a unique position.

If nothing else, it could effortlessly corner the market on information on vulnerabilities in its software 鈥 offering generous rewards that would attract the best researchers in the world and听lock up the bulk of zero days. But Mr. Litchfield said that the company wouldn鈥檛 have to offer anywhere near $1 million to tap into what he sees as pent up demand among researchers to crack their knuckles on Apple鈥檚 products.

"Clearly they would never offer [$1 million] but if they can give some reasonable bounty amounts I am sure they would have some great issues reported to them responsibly,鈥 he said.

By doing so, Apple would undercut efforts of cyberarms dealers and third-party research firms such Zerodium, Litchfield and others agree.听听听

Apple did not respond to multiple requests for comment about the Zerodium bounty or its own plans regarding bug bounties.

While an employee at Microsoft, Katie Moussouris helped听establish their $100,000 reward.听She said such bounties听"appeal to those who want to make a nontrivial amount of cash, plus get all the glory for helping to secure the ecosystem."听

The $1 million Zerodium bounty "can't be outbid effectively in the defense market," said Ms. Moussouris, now chief policy officer of HackerOne, a firm that helps other companies set up and run bug bounty programs.听

But she added that the monetary award comes with hidden costs: The "additional tax of knowing it will likely be used in an attack."

Editor's note: This story was updated after publication to correct the location of听Zerodium. The firm is based in the US.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines 鈥 with humanity. Listening to sources 鈥 with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That鈥檚 Monitor reporting 鈥 news that changes how you see the world.
QR Code to Will $1 million iOS bug bounty compel Apple to pay for software flaws?
Read this article in
/World/Passcode/2015/0925/Will-1-million-iOS-bug-bounty-compel-Apple-to-pay-for-software-flaws
QR Code to Subscription page
Start your subscription today
/subscribe