San Francisco-based Zimperium will acquire undisclosed code for vulnerabilities that have already been fixed.
The company’s new N-Days Exploit Acquisition Program aims to pay security researchers from a $1.5 million pool for exploits targeting vulnerabilities in software that has already been patched.
This is major a departure from most other similar programs that focus on purchasing zero-day solutions.
“N-day” vulnerabilities are vulnerabilities that have already been discovered by affected companies, but that could take “N” number of days before the patch is released.
While focussing mainly on mobile devices first, Zimperium hopes it can create a market for security researchers to sell their exploits again after they’ve already sold them to governments or major software companies such as Google or Apple.
Zimperium is hoping that this will have the effect of giving zero-day vulnerabilities a much shorter shelf-life, and make using vulnerable code in cyber-attacks less profitable for hackers. “Our goal is to help the community, penetration testers, mobility and IT Admins to better evaluate their security and protect their devices,” said Zimperium’s founder and CTO Zuk Avraham in a blog post, Tuesday.
Hackers tend not to bother very much with software loopholes that are in the process of being fixed by potential targets. But existing sloppy code can still fetch high prices for code that may still be relevant on consumer devices who don’t regularly update their software.
On the other hand, Zero-day exploits can make those who discover them hundreds of thousands of dollars, as they can be exploited for months or even years before being discovered. Those bugs and the exploits weaponizing them can be used to target journalists, activists, celebrities, politicians, and so on.
The market for so-called ‘weaponized exploits’ is huge, and government agencies from around the world routinely buy them so they can target their enemies and rival states.
Zimperium state on their website that: “We now offer a purchasing program for N-Days exploits. It’s simple. We’ll buy remote or local exploits targeting any version other than the latest version of iOS and Android…We humbly believe that we can learn from any exploit and as a result offer better security for our customers and partners… An exploit committee built from selected members… will decide how much to offer for each N-Day exploit. Remote exploits are valuable even more than local ones, but it all depends on the exact bug (and the beauty of the exploit).”