Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Bug Bounty Flaws Remain Unpatched for 151 Days: Study

Software vulnerabilities from two popular commercial zero-day brokerage houses give cyber-criminals and nation-state attackers advance access to as many as 100 software exploits on any given day, according to data released by NSS Labs.

Software vulnerabilities from two popular commercial zero-day brokerage houses give cyber-criminals and nation-state attackers advance access to as many as 100 software exploits on any given day, according to data released by NSS Labs.

After studying 10 years of data from HP’s Zero Day Initiative (ZDI) and Verisign’s iDefense — two companies that pioneered the business of purchasing exclusive rights to zero-day vulnerability information — NSS Labs came to the startling discovery that “privileged groups” have access to at least 58 unpatched vulnerabilities targeting products from Microsoft, Apple, Oracle and Adobe.

“These groups have access to critical information that would allow them to compromise all vulnerable systems without the public ever having knowledge of the threats,” said NSS Labs research director Stefan Frei.

Software Vulnerabilities for SaleIn a report titled The Known Unknowns, Frei said the research found that these vulnerabilities remain private — and unpatched — for an average of 151 days, providing a wide open window for cyber-criminals and APT groups to launch targeted attacks against consumers and businesses.

The data in the NSS Labs does not take into account additional programs that sell exploits and vulnerability data to governments and other buyers.

According to Frei, these companies are offering zero-day vulnerabilities for subscription fees that are well within the budget of a determined hacker group.  He provided an example of a subscription package of 25 zero-days per year selling in the range of US$2.5 million.

“This has broken the monopoly that nation-states historically have held regarding ownership of the latest cyber-weapon technology,” he said.  “Jointly, half a dozen boutique exploit providers have the capacity to offer more than 100 exploits per year,’ Frei added.

Frei also acknowledged that the true number is considerably higher than has been estimated since many groups in possession of zero-day flaw information have to incentive to coordinate and share data with affected software vendors.

Advertisement. Scroll to continue reading.

In the case of ZDI and iDefense VCP (Vulnerability Purchasing Program), Frei found that the two companies purchased 2,392 vulnerabilities between 2002 and 2013.

“It is significant that the average time from vulnerability purchase to public disclosure is 133 days for VCP and 174 days for ZDI,” Frei said, nothing that this is a lengthy period of time for a process of coordinated disclosure.

“It is clear that vulnerabilities acquired by cyber-criminals or by government agencies remain unknown to the public for extended period of time,” he added.

In the report, NSS Labs noted that these bug bounty programs do not purchase all vulnerabilities offered by researchers.  This means that the majority of vulnerabilities purchased are rated as “highly critical” and affect products that are widely deployed.  

“This poses a significant risk to enterprises and to society,” the company warned.

Related: Bug Bounty Programs More Cost-Effective Than Hiring Security Experts

Exclusive PodcastVupen CEO Chaouki Bekrar Addresses Zero Day Marketplace Controversy

Related PodcastThe Story Behind Microsoft’s Bug Bounty Program

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.