Hackers can earn more by selling vulnerabilities than security experts on bug bounty programs

Hackers can earn as much as they sell vulnerabilities, and even more than information security experts who participate in reward programs for vulnerabilities found, or the so-called “gray hats” that reverse engineer for the government.

[dropcap]S[/dropcap]o says the head of research at Tenable Oliver Rochford.

Oliver Rochford

Oliver Rochford

“Vulnerability research is an expensive process, and the white, black and gray markets use the same methods to search for vulnerabilities, despite the legal or illegal specifics”, – says Oliver Rochford.

The main difference between criminal and legal parties is ethics. The mechanism (vulnerability detection, exploit research and development) is the same for both criminals and researchers, but the difference is in how the parties exploit the vulnerabilities. For example, cybercriminals act with the aim of espionage, sabotage and fraud, while information security experts analyze existing threats.

Read also: Cybercriminals actively use the names of politicians to lure victims

According to Rochford, in some cases it is possible to earn much more legally (in this area, hackers can earn about $ 75 thousand). According to him, in the underground markets the vulnerability in Apache or Linux can cost about $ 1 million, while exploit brokers offer only about $ 500 thousand.

Vulnerabilities in WhatsApp for Android can also bring $ 1 million in the black and gray markets. In the framework of bug bounty programs, the most profitable vulnerabilities are those affecting Safari in iOS, and in general, about $ 1 million can be earned on bugs in iOS, and $ 2 million in the gray market.

According to Rochford, on average, cybercriminals have 7 days to exploit a vulnerability before security experts begin to analyze it, this is why “companies need to take measures to strengthen security.”

“Companies need to harden their attack surface and raise the level of attack. Reducing market supply and increasing production cost also increases the value of exclusive zero days, thus incentivizing investment again”, — tells Oliver Rochford.

[box]According to a recent Bromium report, cybercrime revenue is estimated at $ 1.5 trillion, while the total cybersecurity market in 2019 was $ 136 billion.[/box]

About the author

Sophia Zimmerman

High-quality tech & computer security copywriter, SEO editor & online marketing consultant

Leave a Comment