The image of hackers as male teen geeks interested in breaking software solely for bragging rights within a tiny subculture persists. Yet, as a recent NYT story observed, the customer base for successful hacks — that is, correctly identified flaws — includes governments and some of the biggest firms in information technology.
Reporters Perlroth and Sanger cite evidence that small entrepreneurs across the world — including a compelling small business in Malta — have high profile customers that include the NSA and Iran’s Revolutionary Guards. They write that there are several countries paying for zero-day flaws.
Israel, Britain, Russia, India and Brazil are some of the biggest spenders. North Korea is in the market, as are some Middle Eastern intelligence services. Countries in the Asian Pacific, including Malaysia and Singapore, are buying, too, according to the Center for Strategic and International Studies in Washington.
Previously hackers were paid by some software vendors themselves, including Microsoft, Google and Facebook. But the stakes have been raised by the participation of governments. The size of payouts and willingness to participate in the pay-for-flaw enterprise has increased.
The size of the payouts will surprise some. While Apple has no such official program, the NYT article cites two sources who claimed that
. . . a zero-day exploit in Apple’s iOS operating system sold for $500,000.
The article does not go on to question software suppliers as to their plans to improve quality by reducing vulnerabilities.