Today, it is not uncommon for companies to offer huge sums of money to individuals who will be able to discover vulnerabilities in their system.
In the majority of cases, we will talk about Zero day, particular vulnerabilities. Zero day vulnerability is when we are faced with a security flaw that the manufacturer did not discover itself when putting its computer tool into service. And this loophole "can then be exploited before the manufacturer realizes it and corrects it as a matter of urgency. This attack is then called zero day attack," explains cybersecurity firm Symantec. "There is almost no defense against a zero-day attack," she said.
This article will also interest you: The Project Zero team finds security flaws in MacOs
In practice these security vulnerabilities are quite rare. However, there is no shortage of computer attacks based on these security vulnerabilities. For example, through a study of data collected from about 11 million Windows operating system users, cybersecurity firm Symantec showed that from 2008 to 2011, there were 18 attacks that were carried out based on Zero Day vulnerabilities. In 2013, more than 11 computer attacks occurred as a result of these vulnerabilities, according to cybersecurity firm FireEyes.
In addition, there is indeed market around Zero days. that market may be legal where illegal it all depends on the intent of the people who are are involved in this story. Legally, there are companies that specialize in connecting hackers and institutions affected by these Zero Days vulnerabilities. The most famous is not other than the famous American hackerOne company founded in 2012. Its role the main thing is to connect hackers who are likely to discover vulnerabilities Zero day with companies. Pushing these hackers to remain legal and not to disclose these security vulnerabilities to people who might misuse them. "Some of our clients have bonus programs, others don't, but they all use our platform to better manage and deal with what is happening to them hacker community. We do this to help response teams have the best possible reports on the flaws. Katie said, Moussouris, Director of Public Affairs for HackerOne. Among these customers HackerOne can count big names such as Dropbox, Airbnb, Snapchat and twitter.
Like hackerOne, the Zerodium has also specialized in this kind of scheme. In contrast to the first that connects hackers and companies, Zerodium happy to buy back the vulnerabilities discovered by these hackers for resell to states or other Structures ready to do pay a lot of money to have them. Some even accuse him of often trading with criminals.
But the activity that most enhances the zero days trade is at the level of the famous Bug Bounty programs. Each year, major digital service providers offer the hacker community a financial compensation of up to millions of dollars to those of them who manage to discover a vulnerability in a particular system. The social network Facebook has repeatedly boasted of having paid for this kind of program december that can rise to millions of dollars. "The best thing we've done is [pour la sécurité de Facebook]to have a bonus program in place for many years," said Sheryl Sandberg, Facebook's Chief Operating Officer.
Now access an unlimited number of passwords: