How Zero-Day Exploits Are Bought And Sold In A Murky, Unregulated Market

Photo courtesy of a_codepoet via Flickr, modified by Curiousmatic. 

It’s a hacker’s trick, and a lucrative one at that: finding faults in software, exploiting them, selling them, and leaving the programmer with “zero-days” to patch it up.

By popular definition, a zero-day vulnerability is a hole in software or a computer application unknown to the vendor. After the release of a product, hackers rush to find these holes and write complex code to exploit them. The codes are called zero-day exploits.


What follows is a fast but profitable exchange of infiltration codes, which typically remain unknown for an average of 151 days.

Here’s the basic steps of zero-day exploitation:

  1. A new software is released (such as an Apple or Chrome operating system)
  2. A hacker or group of hackers detect weaknesses, and target these flaws with sophisticated malware
  3. The attacker then may use, distribute, and sell the zero-day exploit, which can be worth thousands of dollars
  4. The developer and/or public becomes aware of the hole
  5. The programmer creates and releases a fix for the vulnerability, at which point the exploit ceases to exist

The zero-day exploit markets


The buying and selling of zero-day exploits is a murky business, which may help vendors make fixes at best, and be criminally devastating at worst.

There are three markets that vary on a scale of white to black.

[contextly_auto_sidebar id=”V6pVRDsp9xyme2n0y59zauFF6CI6O2mf”]Grey market companies specifically find and sell zero-days to clients that include Fortune 500 firms, technology companies, foreign intelligence agencies, and government entities. They may also sell exploits to the highest bidder in anonymous marketplaces.

These companies include ReVuln, VUPEN, Endgame Systems, the Grugq, and Netragard. They are technically legal, though sales are unregulated and often sell across country boundaries, potentially to nations like China or Russia.

Black market sales, alternatively, exist beneath all measures of law in the belly of the Deep Web, where criminal hackers trade in zero-day exploits to enable cyber-attacks and cyber-theft of vulnerable systems.

White markets, last but not least, are those that encourage hackers to find zero-day exploits and report them to the vendor for a reward. Though groups like the Zero-Day Initiative will pay researchers bounties to reveal and report weaknesses, there is unfortunately more profit to be made by selling elsewhere.

The cost of zero-days

Some vehemently oppose markets that buy and sell zero-day exploits, comparing them to bullet or gun providers — digital ammunition that, in the wrong hands for the right price, could come with disastrous consequences.

Only a few zero-day exploits are publicly known, including:

  • One iOS exploit sold for $500,000, and another for $250,000, the latter sold by the Grugq (allegedly to a U.S. government contractor).
  • Packages of zero-day exploits sold for $2.5 million a year by Endgame Systems, primarily sold to U.S. government contractors
  • $1.2 million in revenue from VUPEN selling exploits to national security agencies

By U.S. law, if a flaw in software has “a clear national security or law enforcement” use, the government can choose to keep information about the vulnerability secret in order to exploit it. When governments buy and don’t disclose zero-days, it leaves that hole open to possible attacks.


Zero-day exploits have been used various times for cyber attacks. For example:

  • Stuxnet was a virus that infected Iran’s uranium enrichment plant, using five zero-day exploits to spread and gain access to private information in 2010
  • Operation Aurora was a 2010 attack on Google, Adobe, and over a dozen more companies through zero-day exploits found in Microsoft’s Internet Explorer Browser.
  • A hack of the security firm RSA was prompted by a zero-day exploits of Adobe’s Flash player, which allowed an infiltration that stole information related to authentication products

Secretive government and military organizations around the world are in a frenetic race to find zero day flaws for use in their foreign intelligence and cyberwar efforts.

One such organization, the Equation Group, (of U.S. origin, likely NSA, Cyber Command, or both) was recently revealed by Kaspersky Lab’s Global Research and Analysis Team to have known about and traded zero-day exploits that lead to attacks by the Stuxnet Group and its offspring Flame and Duqu.

Four of the seven exploits perpetuated by the Equation Group, as witnessed by Kaspersky, were through zero-days. The group has also allegedly reprogrammed backdoors into firmware across the world.

The takeaway

All of the fuss and secrecy surrounding zero-days are evidence that such vulnerabilities in any system can be used for controversial means, such as hacks, thievery, and shady intelligence gathering.

As long as there is money to be made, it’s unlikely that the market will show any signs of slowing. But this doesn’t mean there are no preventative solutions.

Google’s Project Zero is one such effort to catch and fix zero-days before they become an issue, for which Google is hiring engineers and programmers to find flaws and and notify vendors immediately.

Under this model, holes can be patched instead of kept and sold in secrecy. The public is notified as soon as the zero-day is fixed, or after 90 days if it isn’t. We’ll see if it catches on.

We measure success by the understanding we deliver. If you could express it as a percentage, how much fresh understanding did we provide?
Jennifer Markert