Ask HN: What is the best way to get paid for discovering zero day exploits?
Let's say I discover a security exploit and want to profit from it. What do you consider the best way to make monetary gain from this discovery? I have found the Zero Day Initiative (http://www.zerodayinitiative.com/) but I was wondering if any other mechanisms were considered legitimate by HN.
19 comments
[ 3.5 ms ] story [ 47.2 ms ] thread1. Responsible Disclosure:
Do you have a privilege escalation, sandbox escape, remote code execution, etc. vulnerability in a major browser (Internet Explorer, Chrome or Firefox), a major operating system (Windows, OS X, Linux or Unix), a major mobile operating system (iOS or Android), a major programming language (including but not limited to Python, Ruby, PHP, etc.) or a major software framework/library/platform (including but not limited to Django, OpenSSL, Bash, Flash, etc.)? If not, is it somehow not on that list but impacts the internet in a horrific way?
Good news, you can responsibly disclose directly to the Internet Bug Bounty (https://internetbugbounty.org/) and claim a five figure reward (or greater, theoretically). You can report to Google or Microsoft if it's specific to one of them and they'll pay you directly. You can also grab a neat CVE and enjoy extremely high employability and prestige in the lucrative security industry.
If you have a vulnerability in the above list, this is basically the best game theoretic way to go, in my opinion.
2. Third-Party Disclosure:
You can sell to a third party which promises to both reward you and notify the vendor, but you really don't know exactly what happens to the vulnerability. This is kind of like the Zero Day Initiative, and others like it. You'll probably fetch a price about comparable to legitimate disclosure, but you'll probably be unable to publicly disclose that you found it as a condition of payment, and you're not entirely in control of what happens.
This is more controversial. You won't be known for the finding, and even if you somehow are, you won't be universally praised for it in the industry. A lot of security researchers (myself included) fundamentally disagree with this approach, but it probably won't be an obstacle to being hired. This is a good route to go if you want to be paid for something that is legitimately serious but which will not be honored through purely responsible disclosure (as a term, not a moral judgment) because the vendor is hostile towards security research.
3. Outright Sale on the Black Market:
This is pretty straightforward - find a broker such as Hacking Team and offer to sell them a vulnerability you found. The upside here is that you will receive a significantly higher payment than you would through legitimate disclosure. For a vulnerability that allows code execution in iOS, for example, you can expect about $500,000 from a broker. If you're looking for a career as a blackhat, this is basically going to be the route you choose, and it will be quite a lucrative one depending on your risk tolerance.
The downsides are powerful, however - if it becomes public that you sell vulnerabilities on the blackmarket, that effectively labels you as a blackhat. You will be a pariah in the security industry and your employability will drop severely. The only way to stay employable at that point is to both publicly decide to "turn sides" and to be so astonishingly skilled that people basically have to tolerate your past activities. On the other hand, if it never becomes public that you sell vulnerabilities on the black market, you suffer from not being able to publicize quality security research that could benefit your career.
I consider the best method of monetary gain to be finding several high value vulnerabilities, responsibly disclosing them and becoming a solo security consultant. This has more to do with ethics and risk tolerance than it does with potential earnings - a legitimate securi...
Do you have any recommendations on books to learn about finding exploits in general? My specific skills are in deep and nuanced areas of the Android kernel, and I have some good ideas on potential areas to investigate, but a thorough understanding of the subject would be helpful. It seems like a very lucrative hobby or full time endeavor.
I had quite a lot of fun for years doing it, though it was draining and I grew tired of it. When I'd see an exception I'd get so excited - it was like a constant rollercoaster of highs then it would flatten out to a middle area, eventually hitting low when your fuzzer was finding less bugs. I find the VR cycle goes like this, at least for me:
* research your target - obtain a whole bunch of background knowledge, e.g. protocols or file specs. Hopefully you can find out what you want on-the-line, otherwise you have to try your best at reverse engineering (RE) your target.
* depending on how you're hunting for vulns, you'll be doing either fuzzing or binary analysis (RE). So if you're fuzzing, you need to write your fuzzer. The offset on time regarding fuzzing vs binary analysis (a topic of its own!) I usually find comes out relatively evenly (target dependant however).
* running your fuzzer (obviously not required if you're doing binary analysis)
* going through your exceptions, narrowing them down based on exploitability from the little crash dump info you have. Then figuring out what caused the crash. This can be quite difficult and time consuming depending on your target, for example, analysing a crash in a compressed stream in an adobe reader document. Again, as an example, if you have 10 unique crashes this can take a while.
* now that you understand what went wrong and you believe it is exploitable, you need to figure out how to do just that. I like to think exploitation is a field of its own. Some of the best exploit writers dont do so well finding 0days, but exploiting them is another story!
* then the easy part, mail your people and wait to see an offer.
You need to be able to motivate yourself to do well in VR. As I mentioned at the top of this post, seeing an exception would be a pretty big high for me, chasing this is what I think enabled me to do it for so long. All this takes so much time, from a couple of hours to days to months. While I'm on it, I often hear people say you need to be smart to do this type of stuff. Not true. Persistence is what is required. Being smart only takes you so far.
In the end, there's easier ways to make money, though I wouldn't be where I am now if I never did vuln research (VR). Still got friends that do it now, they never seem to tire from it!
I would highly recommend anyone getting into security to do VR for a period of time. Release a bunch of bugs responsibly to the public for free - it gets your name out there (can be worth more than the bug itself in the end). Only after you've released a few publicly should you look at selling the next. You learn lots of different skills you'll use throughout your security career and it will put you into that top tier of security professionals.
I still do a bit here and there. Its not as stimulating as it used to be for me anymore. :(
Overall, its a pretty awesome life.
* Apologies if there are typos above, didnt have time to review it.
What OP doesn't mention is that there are legitimate brokers. You dont have to use those shitty hackerone services.
My personal view is that I would not sell vulnerabilities on the black market, and I most likely would not do it through a third party broker either. Also note that I presented options as game theoretic decisions - I personally have ethical considerations, but those do not color the very obvious career differences for so-called "whitehats" and "blackhats" (terms which I do not enjoy but which are good enough for a discussion that doesn't require so much nuance).
Also, as someone who makes their living selling exploits I rather disagree on your claim that selling vulnerabilities is something that would have you labeled as a "pariah". I don't think I've ever seen that happen.
I don't have any good citation for the going rate for a high value vulnerability on the black market, but if you look I'm sure you'll see it can easily enter the mid six figure range.
As for "good vs evil" - I never used those words. Morality is a word I used because it provides a useful context against which to judge legitimacy. You can fairly say it is unethical to sell vulnerabilities for the explicit purpose of exploitation. I don't particularly care to color it this way; I disagree with such actions but I still respect my fellow colleagues who do it.
However, if you sell a vulnerability to a group that will explicitly use it for malicious purposes and this becomes very well known, you'll obviously become a polarizing figure and many doors will close on you. Not all, of course. Just a lot of high value ones.
This is not to make a moral judgment - it's just a reality that a lot of organizations won't want to be associated with you if you're labeled as a blackhat. Of course, if you do that you'll find plenty of other high value doors suddenly open up.
Source: I did this for many years. Works out to be an awesome bonus on your current day job!
The easy way, if you want to this sort of thing regularly, is to work for a place that discovers zero day exploits. You'll get a salary/wage and benefits. Here is a fun place to do that: http://advancedsecuritylabs.com/