Zimperium, the security company that found the "Stagefright" Android vulnerability, announced that it’s going to start paying security researchers for “N-day” software exploits. This way the company hopes to to shorten the lifespan of zero-day exploits, improve its anti-malware engine, and bolster the security of its partners’ mobile devices.
Zero-day vulnerabilities, or zero-days, are software bugs discovered by security researchers or malicious hackers that are still being kept secret from the public. These zero-day vulnerabilities can be revealed to the companies affected by them through full (public) or “responsible” disclosure.
Responsible disclosure often involves submitting zero-days to bug bounty programs. They can be worth anywhere from a few hundred dollars to tens of thousands of dollars if they're revealed in this way. On the black market, however, the same bug could fetch a much higher price from criminal hackers or government agencies.
Zero-day exploits can be used for months or even years before someone else discovers them. Those bugs and the exploits weaponizing them can be used to target journalists, activists, celebrities, politicians, and so on.
An “N-day” vulnerability is a zero-day vulnerability that has already been discovered by the affected company, but it may take “N days” for a patch to be released and enabled on a given user’s device.
A disclosed vulnerability is often not worth much at all anymore, since the attackers don’t want to waste time with a software loophole in the process of getting fixed by potential targets. But the vulnerability may still be purchased if it’s highly valuable, and most users are slow to update their software or devices, which means they could still be targeted even if a company has fixed the problem on their end.
Zimperium To Buy N-Days
Zimperium hopes it can get security researchers (or anyone who finds a zero-day vulnerability) to sell their exploits again after they’ve already sold them to governments or whoever else was interested in them. The company is doing this to give zero-day vulnerabilities a much shorter shelf-life, thus making it even more expensive for those who plan to use them to hack their targets.
The company has allocated $1.5 million for this program so far, from which it plans to buy multiple N-day vulnerabilities. The types of exploits it’s looking for are:
Remote exploitsLocal exploitsInformation disclosure vulnerabilitiesOther vulnerabilities can apply but needed to be described in the email
What’s In It For Zimperium?
Zimperium started the “Zimperium Handset Alliance” (ZHA) in 2015 after it discovered the Stagefright bug that affected virtually all Android users. A list of over 30 companies, including Samsung, Softbank, Telstra, and BlackBerry, joined Zimperium in a sort of security-oriented consortium.
Zimperium plans to share the vulnerabilities it buys with the ZHA members (there’s likely a remuneration/membership plan in place) and give them 30 to 90 days to fix the bugs before they're disclosed to the public. Exploit authors can request that the bug is never shared with the public, but they'll always be shared with ZHA members, which can then use that knowledge to fix their own devices.
The security company also intends to use the techniques found in the purchased exploits to improve its anti-malware z9 engine. According to Zimperium, its z9 engine has already caught all publicly disclosed kernel exploits released over the past couple of years, without requiring an update.
Stay on the Cutting Edge
Join the experts who read Tom's Hardware for the inside track on enthusiast PC tech news — and have for over 25 years. We'll send breaking news and in-depth reviews of CPUs, GPUs, AI, maker hardware and more straight to your inbox.
The down side of exploits being monetized is that it actually creates an incentive for software developers (both commercial and open source) to hide security bugs in their code.Reply
However, once the cyber criminals & governments started paying for exploits, the cat was already out of the bag. At least having vendors and security companies being willing to pay can take some of the sting out of being a virtuous security researcher.