Mobile security company Zimperium said Tuesday that it will start buying exploits, but in a departure from most other programs, it will not be buying zero-days.
The company’s N-Days Exploit Acquisition Program will pay researchers from a pool of $1.5 million for exploits targeting vulnerabilities in Android and iOS that have already been patched.
Zuk Avraham, founder of Zimperium, said the program will not only serve to train the company’s core internal Z9 machine learning engine, but also encourage and reward exploit writers to develop proof-of-concept exploits that could nudge carriers and handset makers to improve patch delivery to devices.
“We are not an exploit acquisition company; we don’t do offensive stuff. We get the same value from our perspective working on N-days,” Avraham said. “Right now N-days are worth zero. We are going to help create value for vulnerabilities that sell for zero and make them worth more than that.”
Avraham said exploits for iOS 8 and later, and Android 4.0 and later, will be eligible for the program. Exploits from the program will be first delivered to Zimperium partners and members of its Zimperium Handset Alliance, which includes some large mobile manufacturers such as Samsung and BlackBerry. Within three months, the exploits will be publicly released. Members of Zimperium’s Zlabs research team will evaluate submissions and determine payouts on a case-by-case basis.
“These things need to be shared in order for the community to get better and safer,” Avraham said, pointing to other exploit acquisition programs that do not share exploits publicly. “We have to change that; that’s what triggered creation of this program.”
Having a working proof-of-concept exploit, Avraham said, should add urgency—especially on the Android side of the equation—for handset makers and carriers to deliver patches and improve the overall security of the ecosystem. Exploits coming out of the program, for example, puts more PoCs in the hands of industry, some of which could be hesitant to deliver timely patches without working public exploits, Avraham said.
“Android got better, and much safer if you’re on the latest version, but only .5 percent are on the latest version unfortunately,” Avraham said.
One glance at the monthly Android Security Bulletins will show you the multitude of vulnerabilities Google regularly assesses and remediates for the mobile operating system. And while Google patches its Nexus phones in over-the-air updates, that process represents only a percentage of the mobile market running devices at current patch levels.
The Android ecosystem still lags overall on comprehensive patching, and it’s not alone given that while Apple regularly pushes updates to its devices, it still relies on users to download and install them.
“We are not there yet, and we can get better,” Avraham said, conceding the improvements made since the initiation of the monthly Android patch releases from Google in particular and the number of critical bugs in Mediaserver and Stagefright that have been found and patched. “It’s gotten better, but it’s still very challenging work.”
Avraham said the program is scheduled to run at least one year, but depending on whether it’s successful, it could be extended.
“With this program, we thought we would get creative, support the community and do something different for once,” Avraham said.