The Bounty For An Apple Bug: $115,000

Via Forbes.com (The Firewall Blog) -

It's been a tough month for Apple's security team.

First Mac hacker extraordinaire Charlie Miller revealed that he'd found 20 exploitable vulnerabilities in Apple's Preview software, all of which apply to Safari as well. Then, at the Pwn2Own hacking competition in Vancouver, Miller and two other security researchers hijacked both an iPhone and a Macbook Pro in minutes. (Firefox and Internet Explorer 8 were hacked too, though Google's Chrome is still standing.)

Apple apologists will likely respond to that news with the usual refrain: Even if Apple is insecure, it's still safer, given that cybercriminals don't bother to target the 8% of American users who use Macs, by tech tracker IDC's count.

But Adriel Desautels, who I spoke to for this magazine profile of Charlie Miller, might feel differently. Desautels runs Netragard, a cybersecurity firm that acts, among other things, as a bug broker: Desautels buys vulnerability information from independent hackers and sells it on a growing, secret, and unregulated market. (Just who his customers are, Desautels won't reveal, though he argues that he screens them to make sure he's not selling exploit ammunition to cybercriminals.)

Desautels says that as Apple's user base has grown, so has the market for Mac bugs. And he's now willing to pay between $15,000 and $115,000 for the right Apple-focused security flaw. "There's a very big market for Apple bugs right now," says Desautels. "Our buyers are very interested, and in some cases explicitly asking for certain kinds of Mac bugs."

[...]

Desautels says his Apple bug bounty is still around 15% less than he would pay for the equivalent PC-focused flaw, given that high-volume cybercrime is still much more common than targeted espionage. But that slim difference shows that Apple is in fact being targeted, he says. "As Apple has become an accepted platform for business and communications, I've definitely seen an increase in demand," he says.

Hackers who win Pwn2Own by taking control of target systems each receive a $10,000 prize along with the hardware they've hacked, and researchers Vincenzo Iozzo and Ralf Philipp Weinmann, who teamed up to hijack the iPhone, will split $15,000. Those rewards are close to the high end amount that the Zero Day Initiative, which runs Pwn2Own, or Verisign's iDefense division would usually pay for bugs. Both companies inform the software vendor of the vulnerabilities and implement the fix in their security products, rather than keeping them secret as Desautels' customers almost certainly do.

That means the researchers at Pwn2Own deserve praise for exposing their bugs to someone who plans to fix them. They could likely have earned far more by pawning them in private to someone with shadier purposes.