Hacker News new | ask | show | jobs
by Rotdhizon 2505 days ago
I'd imagine this is to combat marketplaces like zerodium and the deep web. Traditionally grey hat hackers don't always go through bug bounty programs because the pay is awful compared to what you can get through less ethical sources. By flexing that much cash at bug hunters, they are potentially now offering even more than what you could get on the mentioned markets. The only reason people go underground to sell exploits is for the money. Take away that variable and suddenly there's no reason to sell exploits to bad actors, just sell them straight to the source at Apple and get a fat paycheck.
3 comments
xkcd-sucks 2504 days ago
On these marketplaces, how do people demonstrate PoC without giving away the intellectual property? Or is it unproven and completely reputation based
link
shellcoder 2504 days ago
Reputation plays a big part in it on both sides. Most buys are not Zerodium and putting themselves out there as buyers. So, there is a certain degree of vouching that happens as someone introduces a buyer to a seller.

So, when either party violates the agreement, it reflects poorly on that person who made the introduction, making it harder for them to make those connections in the future. And, these introductions matters, most sellers don't want to just sell to anyone, there needs to be some trust that who you're selling to will be selling it to friendly governments or whatever. Its not like a craigslist ad where you sell to just anyone who answers.

So that acts as a deterrent on the buyer side. It'll be harder to get new sellers if you have a poor, or no reputation.

On the seller side, you're not going to get too many people willing to vouch for you as you start burning bridges by selling non-working exploits.

And on that, the payment scheme acts as a deterrent, like teh great-grandparent said:

> grey-market sales are valued on continuous access; you get paid over a period of time, and if the bug you sold dies, you stop getting paid.

That is, you might get XX Thousand upfront, and then an agreed upon XXX thousand based on the exploit surviving XX days.

So trying to scam the buyer will net you a small amount of the total at best, but I mean, often times they'll hold payment until its confirmed and contracts are written and signed over these sales too, its not under the table payments or anything for the most part. Legitimate business transactions.

So, I guess to sum it up, reputation and a demonstrated, or atleast vouched for past record. There is a lot of trust on both sides.

link
tptacek 2504 days ago
What's interesting to me about this --- and I've got no firsthand knowledge of the markets --- is that Apple doesn't have to outbid brokers; a broker could offer 50% more than Apple, but that comes with an X% uncertainty penalty. You can sell to Apple and pocket $1MM, or try to structure a deal for $1.5MM and gamble that the bug will survive. I'm betting that's often not a good deal; the lump sum payment is the better option.
link
shellcoder 2504 days ago
I completely agree, it i an enticing offer from Apple for the reason you lay out.

Not all brokers are alike though, exploit survival is a gamble, but sensible end-buyers usually don't want to burn the exploits either so will use them sensibly. There are some brokers that don't sell exclusively (despite their claims), they have a reputation for exploits getting burned early.

I have not been involved with any iOS exploits, not really my area of interest, but lets say I was. Would I consider selling it off to Apple, yeah, it would be something to consider. I'd consider the market rates too of course, 1MM vs 1.5MM, sure Apple is enticing, 1MM vs 2MM, maybe not. Not sure where I would actually draw a line, but you are right that Apple doesn't need to compete directly with the market rate, just close enough.

I'm sure there are those that would rather just go for the bigger profits regardless.

link
onetimemanytime 2502 days ago
Plus nothing to stop Apple from offering $2Mil if the bug is really bad....er good.
link
grugq 2504 days ago
Exactly
link
stuartd 2504 days ago
I can imagine it being pretty easy.

Hacker: I have a no user-interaction RCE

Apple: ok yeah

Hacker: gimme a phone number

Apple: here you go

Hacker: …

iPhone: I am pwned

Apple: ok lets do the deal

link
jakobegger 2504 days ago
I imagine that a remote exploit should be pretty easy to demonstrate without giving away how you did it?
link
shellcoder 2504 days ago
Harder than you might think. Who gets to control the server being compromised?

1. The buyer or someone the buyer trusts, then the buyer can log all the network traffic and find the incoming attack traffic and work out the exploit from there.

2. The seller or someone the seller trusts, can backdoor the software to fake it.

3. Someone they both trust, that would require they have some mutual contacts which while possible I wouldn't count on it.

4. A random victim, more possible, but neither party would want to risk prematurely burning the exploit.

And of course there are a ton of exploits that are not remote, all sorts of local privilege escalations, and there are partial exploits that are sold. Like a multistage exploits like say just the exploit to escape a sandbox, or even just an exploit that requires a memory leak could be sold without a memory leak, or just selling the memory leak. Obviously a fully weaponized exploit sells for the most, but there are buyers for stages also.

link
jakobegger 2504 days ago
> Who gets to control the server being compromised?

I was thinking about phones, not servers.

> then the buyer can log all the network traffic and find the incoming attack traffic and work out the exploit from there.

Is it really that easy? I'm not a security researcher, but I imagine that most exploits aren't just a magic byte sequence you send to the victim -- so I assumed that just a single observation of a successful attack is not enough to understand it easily.

link
shellcoder 2504 days ago
> I was thinking about phones, not servers.

that doesn't change things too much, it does introduce some potential difficulties with intercepting certain types of traffic/input to the phone. The question just becomes who controls the hardware being compromised.

> but I imagine that most exploits aren't just a magic byte sequence you send to the victim

Its not, and its not like you can just replay those very same bytes, but its not magic, it all has a meaning and a purpose. While its not easy, you can work out plenty from logs. The entire exploit necessarily is there, things will change, but all the instructions[0] that get injected to do later stages necessarily needs to be sent, or the instructions to generate/cause them.

Its not an easy skill, but its not unheard of.

[0] I'm simplifying a bit to avoid getting into various code execution techniques

link
lbatx 2504 days ago
>The only reason people go underground to sell exploits is for the money.

Not reputation? Not the thrill of it? Not hatred of Apple? Not plain maliciousness?

link
izzydata 2504 days ago
Some amount of money will likely be able to buyout those reasons, but that isn't guaranteed and all of those reasons are still reasons.
link
FrozenTuna 2504 days ago
I don't know anyone who hates apple that much. This way, you still get the reputation and thrill. The only people left are malicious actors, like state sponsored attacks.
link
auiya 2504 days ago
> I'd imagine this is to combat marketplaces like Zerodium

Zerodium already pays double what Apple does. Where's the incentive?

link
esmi 2504 days ago
There is no question on the legality of accepting money from Apple. Accepting money from Zerodium comes with some risk for some people.

https://law.stackexchange.com/questions/502/is-it-legal-to-s...

link