CNNMoney's Jose Pagliery discusses cyber weapons dealer Zerodium,
which sells hacking tactics to governments and corporations. Pagliery
says that "when there are bugs in software, bugs in products, normally
if you find them you tell the company so that they could fix it. In fact
in the last few years companies like Microsoft, Google and others, have
adopted these things called 'bug bounties' where they're willing to pay
you so that you tell them the flaws in their products and they could
fix it. This turns this entire model on its head. Because what we're
dealing with is a company that's willing to pay you to find out what's
wrong but to keep it secret so that it can weaponize that and hand that
to a company or a government. And from there we have no transparency."
Zerodium's
business is extremely controversial, because it is selling "zero-days,"
the golden gun of the cyber world. These are rare, powerful hacks that
exploit never-before-seen vulnerabilities. They get their name from the
notion that tech companies have had "zero days" to fix them.
"This
is a weapon," said Zuk Avraham, founder of cybersecurity firm
Zimperium. "It takes one man to write an exploit these days -- one man
willing to sell his soul to the devil."
"The
recent story between the FBI and Apple shows the most interesting
aspect of the zero-day business, which is the need for government
agencies to get access to unpatched flaws to properly conduct
investigations and save lives," he wrote.
And
Zerodium isn't the only company selling zero-days to the highest
bidder. Experts who closely watch the zero-day market say this business
is also conducted by government contractors, like weapons maker Lockheed
Martin, consultants at the RAND Corporation and the Florida-based
Harris Corporation, which makes a police phone-tracking tool called the
Stingray.
Selling zero-days on the open market can make the Internet and gadgets less safe to use, experts tell CNNMoney.
Non-profit
Mozilla says it has rewarded researchers for spotting 260 bugs in the
past two years, paying around $3,000 on average. But compare that to
Zerodium, which openly advertises it will pay up to $30,000 for a
Firefox hack.
Dixon-Thayer
said there's now direct pressure on tech companies everywhere to raise
their bug bounty prices -- making computer security even more expensive.