Demystifying The Market For Zero-Day Software Exploits

Software vulnerabilities are not at the heart of every cyberattack. For example, social engineering and Living Off The Land (LOTL) tactics are sufficient to successfully pull off a successful cyber attack. However, as technology continues to advance and evolve the scope for vulnerabilities in software also increases. Software exploits can give the possessor the power to infiltrate an organization's network and impose irreparable damage and financial pain via ransomware attacks, mass surveillance campaigns, lost intellectual property, service downtime, compliance violations, and reputational damage among other negative  impacts.  

In previous articles, we have discussed how cyber criminal organizations offer hacking services for hire on the darkweb including Ransomware as a Service (RaaS), Phishing as a Service, and DDoS as a Service (DaaS). However, in this article we discuss how software exploit code is traded, the types of exploits that are most valuable, and the ethical and legal implications surrounding the market for zero-day exploits. These exploits are often sold to government agencies or private security contractors for surveillance or intelligence purposes. On our way, we will uncover gray market companies like Zerodium and Crowdfense that pay millions for exploits that are unpatched and not publicly disclosed. 

What Are Zero-Day Software Exploits?

Zero-day software exploits are vulnerabilities in software that are unknown to the vendor and consequently have no patch available at the time of discovery. These flaws can be exploited by attackers to bypass security measures before the developers are aware of the issue. Because they exploit previously unknown vulnerabilities, zero-day exploits are particularly valuable for conducting undetected attacks, and they often command high prices on the black market from entities seeking to exploit them for various purposes.

For a more complete review of all types of zero-day vulnerabilities you may read our previous post "What is a Zero-Day Exploit?" and "How Do You Protect Against Zero-Day Attacks?" to find out more specifically about defending against zero-days.

The Market For Software Exploits

The market for software exploits operates in a complex ecosystem that involves completely legal venues such as hacking competitions and bug-bounty programs where newly discovered zero-day vulnerabilities are responsibly disclosed, as well as gray, and illegal or underground market segments. Within the legal markets, buyers include the world's biggest technology companies. However, the gray and illegal markets are supported by cyber-criminal organizations, and nation-states.

While zero-day exploits fetch the highest payouts, there is also an underground marketplace for code that can exploit already known vulnerabilities. In some cases, a particularly widespread vulnerability may not have an effective proof-of-concept (PoC) published, in which case, exploit code can also fetch a significant price. However, for the purpose of this article we will focus on buyers of zero-day exploits. 

Besides whether a vulnerability is novel, exploits that can be triggered remotely, for unauthorized root/system level remote code execution (RCE) fetch the highest value.  Aside from those most severe vulnerabilities, local privilege escalation vulnerabilities are also rated very high value. 

The Legal Market For Software Exploits

Here's where exploit code is traded on the legal market:

• Responsible Disclosure Programs: On the legal side of the market, some software and hardware vendors directly offer incentives to  programmers and cybersecurity researchers who discover vulnerabilities in their products. For example, Microsoft, Google, and Apple all allow security researchers to submit their bugs so they can be disclosed via their Vulnerability Disclosure policies. 

• Centralized Bug Bounty Programs: Again on the legal side of the market related to responsible disclosure. Centralized bug bounty programs allow companies to leverage reward to attract security researchers to test and security audit their software, only paying when bugs are found. Although bug bounty programs can make security test more accessible to medium sized companies, they are not a reliable or comparable replacement for a Application Security Testing (AST), or Red Teaming engagement to  Here are the most popular centralized bug bounty programs:

  • HackerOne: A platform that connects businesses with cybersecurity researchers. HackerOne hosts vulnerability coordination and bug bounty programs for a wide range of companies and has been instrumental in many significant security improvements across industries.

  • Bugcrowd: Another major platform that offers similar services to HackerOne, with a wide array of public and private bug bounty programs. It also provides penetration testing and vulnerability disclosure programs.

• Hacking Competitions: There is little difference between hacking competitions and bug bounty programs other than a time limit for exploiting the target. They both result in the responsible disclosure of any exploited vulnerabilities. Here are the most popular hacking competitions in the world. Those interested in entering hacking contests can track global events.

  • DEFCON Capture the Flag (CTF) - The final event in a series of competitions and one of the most renowned worldwide, held annually at the DEFCON conference in Las Vegas. Here is the qualifier for DEFCON CTF 2024. 

  • Pwn2Own - Famous for targeting popular hardware and software, participants attempt to exploit widely used technology such as Tesla cars, with winners receiving the hacked device and a cash prize. Pwn2Own is sponsored by Zero Day Initiative (ZDI) to acquire zero-days, then reports them to the companies affected with the goal of getting the vulnerabilities fixed.

  • Hack In The Box GSEC CTF - Organized by Hack In The Box (HITB), this competition often occurs alongside HITB global security conferences.

  • CSAW CTF - Hosted by the NYU Tandon School of Engineering, it's one of the largest student-run cyber security events in the world.

Gray And Black Market Zero-Day Brokers

These brokers operate in a secretive and competitive market, dealing primarily with government clients and focusing on acquiring tools that can be used for intelligence gathering and cyber-espionage.

• Zerodium: Zerodium offers large financial rewards to security researchers for exclusive access to zero-day exploits. Zerodium's primary customers are government organizations that require advanced cybersecurity capabilities to defend against zero-day attacks. They emphasize high confidentiality and restrict the sale and dissemination of the acquired exploits, ensuring exclusive access for their clients. Zerodium offers rewards up to $2 million for unauthorized root-level remote code execution (RCE)  vulnerabilities. Zerodium considers various aspects of the bug when setting a price, such as the products it affects, its criticality, how it can be exploited (attack vector), any specific configurations needed, and whether user interaction is required. Also, partial exploits such as browser RCE without sandbox escape are eligible.

• Crowdfense: Crowdfense offers high rates for zero-day exploits, escalating value and demand for these vulnerabilities in cybersecurity and espionage. Crowdfense is currently offering substantial rewards for zero-day exploits: between $5 million and $7 million for vulnerabilities that compromise iPhones, up to $5 million for those affecting Android phones, between $3 million and $3.5 million for exploits targeting Chrome and Safari browsers respectively, and from $3 million to $5 million for other exploits such as zero-click attacks against WhatsApp and iMessage.

• Black Market Threat Actors: The black market for software exploits operates on anonymous online platforms such as Telegraph and dark-web forums that offer encrypted communications. This illegal segment of the market enables cybercriminal groups and hostile nation-states to acquire exploits without any form of accountability. Some dark-web marketplaces are only accessible via special privacy enhancing services such as Tor.

Conclusion

The market for zero-day software exploits represents a crucial and shadowy facet of global cybersecurity. It operates across a spectrum from legal, transparent activities such as bug bounty programs and hacking competitions, to the gray and black markets where legality blurs and ethical questions emerge. High-profile brokers like Zerodium and Crowdfense illustrate the high stakes involved, with governments often being the end customers, aiming to bolster their security or espionage capabilities. This market's existence underscores the ongoing arms race in cyber capabilities and highlights the importance of advanced security measures and policies to mitigate the risks posed by these potent tools.