This year has been a dynamic year for the bug bounty market, with new vendors and third-party start-ups entering the arena of buying and selling software vulnerabilities.
As one of the first players in this market with the Tipping Point Zero day Initiative (ZDI) and sponsor of Pwn2Own,HP knows how the market is changing and where it’s headed.
Particular trends that HP sees emerging in 2013 are:
- The shift to mobile vulnerability research.
- The increasing value of exploit techniques, as well as implications for pricing and disclosure methods.
- New motivation for buyers and sellers, and how it’s impacting the reputation of the market.
A shift to mobile vulnerability research
As mobile technology advances, an abundance of new risks and vectors for security vulnerabilities are emerging within these areas, including:
o Mobile Web Browser
o Mobile Operating System
o Near Field Communication (NFC)
o Short Message Service (SMS)
o Cellular Baseband
Mobile devices are always in-pocket and switched on, increasing the attack surface and opportunities to exploit it. This field will be a continued area of focus as 2013, as hackers and security researchers aim to discover new vulnerabilities and vendors attempt to defend their systems against these attacks.
The increasing value of exploit techniques
As the vulnerability research market matures, vendors are taking steps to mitigate against attacks. In turn, hackers and researchers must work harder to develop exploits that circumvent these mitigation techniques.
As these exploits become more complicated and therefore more valuable, researchers will not want to share details of these exploits without substantial compensation.
However, the fact that programs such as ZDI allow researchers to responsibly disclose software vulnerabilities they discover without revealing their exploit techniques is key. Additional benefits of such initiatives are:
Vendors can repair the bugs to prevent exploitation by hackers, but the exploit technique can still be used by the seller for future research.
Often vendors use the vulnerability to discover and patch other related vulnerabilities.
New motivation for buyers and sellers
Several new buyers have entered the vulnerability market this year, which is evidence of the increasing demand and value of the vulnerabilities.
Each buyer brings a different motivation and methodology to the table, adding complexity to the market and raising confusion and scepticism as to its impact on the overall security posture of the industry.
Sellers (security researchers and hackers) are realising the value of their research and the new multitude of options available to them on where to sell their bugs.
Given all these new choices, it’s essential to keep the white market strong for buyers and sellers who want to improve the security posture of the industry.
White market players have the ability to leverage business-to-business relationship to help affected vendors secure their software.
The white market relies on mutual trust, and it is essential to keep the relationships with both researchers and vendors strong to maintain the integrity of the market.