71 comments

[ 4.2 ms ] story [ 135 ms ] thread
I'm not sure I understand the cognitive dissonance here. The same imbalance exists in a lot of commercial products; for instance, a new reliable Chrome bug chain might earn you more than a Chrome developer makes in a year, and a lot of those people make bank. It's simply the case that for some projects, reliable exploits are more scarce than feature engineering resources --- they involve different skill sets.

None of this is to say that $25k is adequate compensation for critical FOSS development work.

Solution: put bug in, get accomplice to claim bug bounty under an alias.

(This is fraud, don't actually do this! But it comes up every time someone does bug fixing metrics)

Obfuscated Open Source Subtle Bug Insertion Contest

Edit: If it's not a bug bounty to fix it, but a vuln bounty to sell it, then it's highly-unethical but not necessarily illegal.

Sounds like the University of Minnesota already has a team ready.
Seems like unnecessary steps- I'm sure Zerodium would be happy to just pay you directly to put in a backdoor
Erm how would that be fraud? It's certainly unethical to the software's users, but seems to fit the spirit of a private bug bounty. Apart from the ethics, what would legally trip you up is later "disclosing" that bug as a public bugfix, which is presumably against Zerodium's terms.
Sploits are worth a lot more because of the damage they can do.

Fixing some bugs and adding some features is a nice-to-have that most people and companies aren't willing to pony-up much for.

Fair point, but as someone not familiar with exploit markets, I do find it surprising that an exploit in a relatively niche (because desktop linux is relatively niche) IM client is worth $100,000k.
Zerodium is a proxy for governments wanting to buy exploits. That niche IM client might be the software of choice for a child-exploitation ring or a high level ISIS commander.

Comparatively a single hellfire missile costs $150k - plus $32 million for the drone to fire it from.

The 100k exploit bounty is probably less than the yearly cost of 1 agent for many government organisations. So the target doesn't even have to be a high value ISIS terrorist to make this bounty worth it. Just save them 1 or 2 FTE somewhere and the economics already work.
I would have thought the same, but the existence of this "ask" certainly would suggest there is indeed demand from a market dynamic perspective. Pidgin is cross-platform, and you could conceive that it was being used by people for various activities with OTR or OMEMO end-to-end encryption. At that point, there's a bunch of potential customers looking to pay Zerodium for a good, robust, zero-click exploit that would give them access to exfiltrate and monitor messages sent through the client.
The work is the work, no matter how much the project itself took to build. If it was easy for exploit developers to pull a Pidgin exploit out of their butt, they'd be cheap. The fact that it's a niche target can actually make bugs scarcer; sometimes, exploit devs can draft off the work other people have done beforehand.
Sure, my surprise is more that the demand exists at $100k, not that the supply isn't cheaper.
I get why that's surprising but I think it's important to beat that surprise out of your brain, because $100k is a rounding error for any state-level actor --- not just the US, but, like, Seychelles as well. If you have a problem that can be solved with a Pidgin exploit, it's a problem you'd fall over rushing to write a simple $100k check for.
What's so perplexing to me is why the pay grades for people in the military are so low. Take Michael Flynn, for example, the O-9 pay for a three star general is lower than what a senior software developer makes. Surely if we're spending $100k a pop for these random exploits it makes sense to spend more at the top of the military to make sure we're buying the right ones.

Also, I don't really see any possible way out of this cyberarms market. There are too many degrees of freedom to really secure anything completely and I'm continually surprised that our governments allow the sale of these munitions to non-allied foreign governments. If someone puts up a $2m dollar bounty for Tesla do we just accept this even if it means physical harm?

I think we don’t want those at the top of the military to be motivated by money.
You're missing the value of military pensions and healthcare when you speak about O9 compensation.
Undoubtedly some TLA has learned someone of interest is using Pidgin, and has offered a premium for an exploit to target them. TLAs have deep pockets for such things.
Pidgin has, or at least had, more usage than you might think. I know that it was the typical Jabber client at Oracle a couple years ago. It's been superseded by Slack/Teams/Zoom recently, but it's not exactly rare. Also, if you were going to profile network admins or ops people that might be interesting to target for attack, they're more likely than most to be running Pidgin.
Pidgin is ubiquitous on darkweb drug markets and in exploit communities.
The 0day market is actually getting disrupted by cryptocurrency. Even the major exploit brokers can't compete with weaponizing the exploit against an exchange or online wallet provider to net tens of millions in easily cleaned money.
Any evidence of this?
Its pretty common sense, if you exploit people and steal their cryptocoin wallets, that is worth a lot more than a single one time payment of 100k.
Speaking of common sense ... most people don't have cryptocoin wallets
Also, those selling 0days are not the one's using them in the wild... out or principal. One can sell a 0day and float away on a silver cloud never to be seen again, but use it in an active campaign and they'll come after you hard.
Yes it makes sense, that doesn't mean it is common. I can sell a 0-day for money and it is legitimate income. If I try and scam an exchange I have to be successful, be able to clean the coins I steal and then hope I am not caught.

I would take the 0-day payday thanks.

But not more than Google's revenue / Chrome project funding. (Or at least not above board, out in the open like this.)

I don't necessarily disagree with you, but I do think it's dissonant enough to be interesting.

The difference is that Zerodium can turn around and sell these exploits to autocratic governments. More often than not, these governments then use the exploits to monitor political dissidents.
If you're reading me as saying the two enterprises are morally equivalent, you're taking something I'm not saying from that comment.
Sorry, I did not mean to imply that. I was just noting an important difference between bug bounty-style exploits funded by companies and what Zerodium does.
and to democratically elected governments too, who will then spy on their own citizens
Compare the project fundings?

Chrome funding is probably in the XXM$/year, while Zerodium offers 500k$ for a vulnerability, that's an approximate 20-100 funding / vulnerability ratio.

Pidgin is at 25k$/year, for 100k$ for a vulnerability, so a ratio of 1:4.

I think the only reasonable conclusion is that community-driven opensource projects are 100 time safer than private company-funded opensource projects /s

I don't think cognitive dissonance is the right label to apply to this. I read it more as a misalignment of incentives. It's a sad comment on the state of things that a year of effort to produce some popular software is worth only a quarter of what somebody else is willing to pay for exploitable bugs in that same software.

Like, I understand why that's the case, but it still sucks.

Unless the foss developer is also getting the RCE award.
That would be a conflict of interest, no?
I would pay more than my yearly salary to find out if I have a 'curable' cancer, so that I could treat it. To not, or ignore that, would likely mean my death. I imagine it is similarly motivating for OSS projects.
It's not.

OSS projects aren't people with curable diseases. Most of them are labors of love, run by people in their spare time. Those people have needs that are mostly not met by working on open source projects. Epsilon open source projects are well-enough funded that nobody in the project feels starved for resources.

Bug bounty programs are only useful for these projects if the details of the bug are shared with the project. Zerodium's model relies on keeping developers unaware of the bugs for as long as possible [1].

Nobody developing OSS is grateful for programs like Zerodium.

[1]: https://security.stackexchange.com/questions/199480/what-doe...

One difference is that people may have a safety net in either savings or insurances, but underfunded open source projects don’t.
(comment deleted)
Vupen / Zerodium folks (Chaouki Bekrar, et. al.): helping governments monitor, abduct, torture, silence, and murder their enemies through monetizing sploits.
except they don't see it that way. they don't see at all when money is blinding and used to look the other way.
They know exactly where their sploits are going and how they're being used, they chose to look away with a blind eye.
Many of these exploits (certainly not all) have been used to catch child predators. I do not know of any case of a 0day being used against journalists or hackers from a NATO country.
From Zerodium’s FAQ page:

> Zerodium customers are government organizations (mainly from Europe and North America) in need of advanced zero-day exploits and cybersecurity capabilities.

Based off Zerodium’s origin and reputation, it seems an exploit is sought which enables a governmental actor to examine information that it otherwise could not. I am assuming they do not have a legal basis for doing so or courts would have granted/ordered such access.

> I am assuming they do not have a legal basis for doing so or courts would have granted/ordered such access.

It's also possible that they have a lawful basis and warrant, but realise executing a physical warrant won't get access to what's required - with e2e encrypted chats going over Pidgin, on an encrypted laptop, you need to be very confident that when you swoop, the laptop is on and decrypted. You get one "go" at that, otherwise you have a suspect, little or no evidence, and an attorney requesting their immediate release on bail absent any actual evidence, which would let them flee and clean up any other evidence that may be out there, either with them or others.

This assumes they even know the physical location.
How do you think warrants work? The police suspect Criminal Charlie of organizing a crime using pidgin, so they get a warrant, then they give the warrant to Charlie? "Please remember to cc us on all your criminal plans. Thanks."
The issue isn’t about the warrant but the over breadth of the method for getting the desired information as it can leave other users vulnerable. Whether they have a warrant or not, this seems like overkill, because they could obtain said info in a much more straightforward way, assuming they have probable cause.
The NSA doesn't need a warrant to intercept foreign communications, for just one example.
Governments can offer bounties to find exploits, it is just too public if people know which government is looking for what. It isn't a legal issue.
Also 'mainly' does not mean exclusively. If you think they won't sell an exploit to some tinpot dictator then I have a bridge to sell you.
What Pidgin user(s) could possibly be worth that much?

Are there some activist or terrorist monitored by a 3 letter agency that is computer literate enough to use Linux + pidgin to try and keep away from prying eyes (or just plain ethical reasons)? Or would the exploit end up being targeted at some foreign government that has standardized on Pidgin?

There are many government organizations which are still using XMPP and the Clients they usw are most likely based on libpurle the vasic library for pidgin and similar clients (Adamantium on MacOS).
Maybe someone who's holding a LOT of crypto?
Maybe. But if you're holding a LOT of crypto, it's very unwise to store the private keys on an internet-connected computer you also use for instant messaging and other things.

(I'm sure plenty of people do actually do that; just lamenting the fact rather than expressing skepticism at the plausibility.)

I left like $80 worth of crypto on a computer that my nephew was using for gaming online, and only remembered when I realized that it had grown to be worth over $1000

Fortunately I recovered it before any of the virus-riddled crapware he downloaded noticed it was there, haha

Either seems plausible to me, especially since US$100k chump change for a TLA or other state sponsored actor.
Pidgin is the IM client provided in Tails Linux. In practice that makes it the OTR over XMPP client provided in Tails Linux.

I suspect that this use also causes those that are not doing Tails to use Pidgin on Windows to communicate with those that are. After all, Pidgin is in Tails. It must be secure.

Well, surely you just have a confederate add one, sell the exploit, then patch it. Do it three times and you’ve got a decade of funding. I’m sure you’ll get away that many times.
I wonder which Pidgin user is the "target" of this increase.
isn't this the polar opposite of responsible disclosure? This rubs me as completely unethical.
It’s sad state only because the FOSS developer managed a low funding. OTOH, if they had managed significantly more, say a million, then irrespective of the bounty size we wouldn’t label it a sad state.

This is to say that FOSS needs more funding and contributors; rest of the industry can do whatever they want, and we wouldn’t care.

Begging cash for os exploits is trashy and rude, the author should have just submit a pr with the fix. Target crapy closed projects where real money is next time and ask for more, peasant.
... you probably should read the submission again.
They encourage finding bugs and then begging money for open source stuff. This is crazy. 100k should go to people like Gary.
Wait, couldn't the developer just add an RCE vuln intentionally and then claim the bounty ;)