The Digital Exploit Market: A Guide for Non-Techies
Businesses and governments have long been locked in an arms race with hackers. Everyone is hunting zero-day exploits, and the competition has spawned an industry. Below, we review the market’s evolution and take a peek at its future.
What are Exploits?
In non-programming terms, “exploits” are unprotected code holes that allow hackers to access valuable information. Think of them as unlocked digital doors, and these days, finding and patching exploits is big business.
But exploits have shelf lives, because once used, they’re typically discovered, patched, and inoculated.
What is the Exploit Market?
Discovering zero-day exploits is a top priority for businesses, governments, and cyber criminals. To accommodate potential buyers, three distinct exploit markets have materialized: the white, gray, and black.
White Exploit Market
Nowadays, many corporations maintain in-house hacking and security teams that hammer systems and unearth exploits before malefactors get there first. Some businesses concentrate on their company’s systems; other organizations out-source their services.
Black Exploit Market
The black market is comprised of unauthorized-but-skilled programmers . They typically breach digital systems and sell the bounties to criminals. Black market exploit hunters are almost always working outside of the law.
Gray Exploit Market
Governments also covet exploits because digital vulnerabilities are a national security risk. Plus, officials must consider spying. But like black-market buyers, governments are keen to keep their efforts hidden. After all, handling counter-espionage out in the open defeats the purpose.
The Evolution of Exploit Markets
In the beginning, the white-hat exploit market was tiny and insular. Companies that paid security professionals didn’t pay well. Back then, tech-illiterate executives couldn’t justify the expense. Only cutting-edge outfits saw the value.
The black-hat exploit market, however, boomed from the beginning. Remember, it was a time when legislation lagged woefully behind innovation, and the Internet was Deadwood territory.
The gray market heated up towards the tail end of the 1990s. The technology had been around for a while, but the Internet was still in its infancy. As such, governments and corporations poked around, trying to determine how they could use it and what they could get out of it — and they paid well.
By the noughties, middle-men companies had sprung up, which facilitated transactions between governments and digital security experts tasked with unearthing zero-day exploits.
In 2007, a Swiss start-up called WabiSabi Labi tried to disrupt the market with an online auction for zero-day exploits. Unfortunately for the WabiSabi crew, the venture didn’t pan out. People weren’t comfortable bidding for this type of work online, and rumors of narcs ran rampant. Moreover, it proved difficult to describe an exploit for auction marketing purposes without giving too much away.
In 2015, a company called “The Real Deal” tried to solve the gray-market problem by developing a model using shared Bitcoin wallets that held escrow funds. But it didn’t alleviate fears. The low price points spawned sting operation skepticism. Ultimately, it shut down soon after it opened.
The Present and Future of the Exploit Market
In recent years, the gray market has dwindled to about 20 or so firms, and it likely won’t make a meteoric comeback. While there will always be a few brokers operating in the space, the need for exploit market middle-men is declining due to market forces and technological advancements.
White-hat, in-house, digital security teams, like Google’s Project Zero, are now the norm. Clean teams, like Zerodium (Vupen’s corporate grandchild), are also thriving. Price-wise, exploit development costs anywhere between $50,000 and $300,000 these days.
The exploit market will likely remain in its current state for a while, and the digitization of the world means more mainstream hacking jobs. Likewise, the amount of cyber criminality is also on the rise since more people know how to code and program.
To read more about digital and asset security news and issues, head to our blog.