Hackers can earn as much as they sell vulnerabilities, and even more than information security experts who participate in reward programs for vulnerabilities found, or the so-called “gray hats” that reverse engineer for the government.[dropcap]S[/dropcap]o says the head of research at Tenable Oliver Rochford.
“Vulnerability research is an expensive process, and the white, black and gray markets use the same methods to search for vulnerabilities, despite the legal or illegal specifics”, – says Oliver Rochford.
The main difference between criminal and legal parties is ethics. The mechanism (vulnerability detection, exploit research and development) is the same for both criminals and researchers, but the difference is in how the parties exploit the vulnerabilities. For example, cybercriminals act with the aim of espionage, sabotage and fraud, while information security experts analyze existing threats.
According to Rochford, in some cases it is possible to earn much more legally (in this area, hackers can earn about $ 75 thousand). According to him, in the underground markets the vulnerability in Apache or Linux can cost about $ 1 million, while exploit brokers offer only about $ 500 thousand.
Vulnerabilities in WhatsApp for Android can also bring $ 1 million in the black and gray markets. In the framework of bug bounty programs, the most profitable vulnerabilities are those affecting Safari in iOS, and in general, about $ 1 million can be earned on bugs in iOS, and $ 2 million in the gray market.
According to Rochford, on average, cybercriminals have 7 days to exploit a vulnerability before security experts begin to analyze it, this is why “companies need to take measures to strengthen security.”
[box]According to a recent Bromium report, cybercrime revenue is estimated at $ 1.5 trillion, while the total cybersecurity market in 2019 was $ 136 billion.[/box]
“Companies need to harden their attack surface and raise the level of attack. Reducing market supply and increasing production cost also increases the value of exclusive zero days, thus incentivizing investment again”, — tells Oliver Rochford.