TO HELP shield their products from ransomware like the recent worldwide WannaCry attack, most big software-makers pay “bug bounties” to those who report vulnerabilities in their products that need to be patched. Payouts of up to $20,000 are common.
Google’s bounties reach $200,000, says Billy Rios, a former member of that firm’s award panel. This may sound like good money for finding a programming oversight, but it is actually “ridiculously low” according to Chaouki Bekrar, boss of Zerodium, a firm in Washington, DC, that is a dealer in “exploits”.
Last September Zerodium’s payment rates for exploits that hack iPhones tripled, from $500,000 to $1.5m. Yuriy Gurkin, the boss of Gleg, an exploit-broker in Moscow, tells a similar story. Mundane exploits for web browsers, which might, a few years ago, have fetched $5,000 or so, are now, he says, worth “several dozen thousand”.