San Francisco-based Mobile Security firm Zimperium has launched an exploit acquisition program under which it is offering cash to hackers to disclose old exploits. Thus, with this program, the company wants to bring undisclosed attack code out in the open for already patched vulnerabilities detected by victim companies.
For some professionals, paying for old exploits may seem like a waste of valuable resources. But analysts review it as a business opportunity which evaluates the difference between exploits and vulnerabilities.
Note 1- A software vulnerability is a software defect exposed with potential security implications.
Note 2- A software exploit is an actual code that takes advantage of a bug to achieve a specific malicious goal, by surpassing all the security barriers in the way.
Practically speaking, vendors do not know details about vulnerabilities which are accompanied by working exploits. For example, a programming error can lead to memory corruption which will alert the vendor against all potential implications- Ex. Arbitrary Code Execution.
Once the software vendor understands the bug and starts patching it, a malicious code execution can be bypassed by software programmers who can avoid writing a full blown exploit that can easily surpass sandboxes or OS security mechanisms like SELinux, DEP, and ASLR.
But we cannot term the same case for weaponized exploits such as zero-day exploits which target unpatched vulnerabilities. And thatās because, as soon as the vendors discover these vulnerabilities they issue a fix on an immediate note making the attack code anonymous to the public.
For this reason, many of the zero-day exploits have been pulled down by vendors over the years or have remained private to this day.
Zimperium wants to appreciate the art of exploitation, and the cool tricks of those writing an exploit development, bypassing ASLR/KASLR to achieve persistency. It wants to buy the exploits to learn many things to improve security for its customers and partners.
So, the company is welcoming all hackers who have zero-day exploits that target Android and iOS aside from the latest ones.
The price which will be offered by the company for different exploits is not available to media sources. But the company disclosed that it has $1.5 million funds allocated for this program.
Zimperium is also offering a chance to earn for exploit developers. They can write working exploits for the patched vulnerabilities and submit them to the program after analyzing the monthly patches of mobile OS. Hence, working exploits can drive patch adoption in the ecosystem.
Zimperium exploits program under which it pays hackers is aimed to enhance the companyās Z9 Mobile Protection Engine which used machine learning to detect and block network, local and application attacks.
If the author gives permission, Zimperium is also ready to release the exploit on public platforms after three months of its existence.
As of now, Zimperium mobile technology is being used by worldās leading telecom carriers and handset vendors holding tens of millions of users as a customer base. The company wants to extend its support for older mobile devices that are no longer supported with security updates.
