Written By: JoCee Holladay
We have all been there. You set your alarm to wake you up five minutes before your online Zoom class, turn on Zoom, and BAM! Your computer decides to update right then.
Whatever technology you use, there is just no escaping it—software needs consistent updates (and almost always at the worst time).
Software updates are just a part of being a citizen of the digital world; nonetheless, have you ever wondered what all these updates are doing? Most of the time, we don't notice anything different after the completed software patch. There aren't any new features or modifications to the user interface, and everything looks the same. So… What needed to be updated? Well, over 90% of software updates fix security issues and bugs [1].
You don’t need me to tell you this, but software, being human-made, is full of bugs. These bugs can result in broken forms, web pages that don't redirect, and in the worst case, a security issue that will open up access for a hacker to get information from your system, a.k.a. a zero-day vulnerability.
Zero-day vulnerability (n): A significant hole in software that the developers do not know exists. These often grant a user access to a system and can potentially cause much harm.
For example, a recent zero-day vulnerability compromised iPhone and iPad users. Hackers discovered a hole in Safari web browsers and were able to design a website which, when visited on an iPhone or iPad, stole the logged-in session data (otherwise known as cookies) for all logged-in websites on their device. The hackers targeted government officials and sent them a malicious link through LinkedIn. If any of these targeted users opened the link on their iPhones, the hackers got access to their email and other accounts.
With zero-day vulnerabilities able to do so much damage, an entire industry has emerged with a focus on finding these weaknesses. Large tech companies such as Google, Facebook, or Apple will pay you large sums of money if you find and report a bug in their system through their bug bounty programs.
Bounty program (n): A program companies set up where they will pay you to help them find security vulnerabilities within their software.
HackerOne is the most prominent bug bounty platform: many companies such as Google, AT&T, Paypal, and Nintendo set up HackerOne accounts, allowing white hat hackers to find and report security “holes” within their systems.
For example, if a white hat hacker hacks into AT&T and reports the bug to the HackerOne website, AT&T will reward that hacker. Now that AT&T is aware of that security hole, they can fix it, protecting their users. Rewards average between $3,000-$10,000. Since 2019, when AT&T created its HackerOne account, they have paid out a total of $3 Million to over six thousand ethical hackers. In 2022, the combined payout for all companies on HackerOne was nearly $45 Million– talented white hat hackers can make some serious money finding security vulnerabilities. There are even 9 ethical hackers who have each single-handedly earned over $1 Million on the HackerOne Platform! [2]
White hat hackers / ethical hackers (n): Someone who tries to hack into software, not to take advantage or steal information, but to provide security insight and to help companies secure existing vulnerabilities in their systems.
While some hackers look for vulnerabilities to sell back to the company, other hacker groups go in a different, more profitable direction.
It isn't illegal for hackers to search for and find software bugs, and technically, it isn't illegal to sell software vulnerabilities either (exploiting vulnerabilities, however, is). This legal loophole has resulted in a large, unregulated gray market of groups buying, selling, and trading software vulnerabilities. People who find software vulnerabilities and sell them on the gray market are called gray hat hackers.
Gray hat hacker (n): Someone who finds software vulnerabilities without a company's permission and sells them on the unregulated gray market for a profit.
One of the leaders in this gray space is a company called Zerodium. This company is different from HackerOne because it doesn't work with companies to provide bug bounty programs. Instead, Zerodium offers an alternative place for hackers to sell security vulnerabilities. They pay a much higher price – up to $2,500,000 – for a single zero-day vulnerability! Why is Zerodium willing to spend so much? If Zerodium isn't working with companies, then who are they working with?
It is well-speculated that the United States government is one of the highest bidders for zero-day vulnerabilities. In 2013, the National Security Agency budget was over $25 million to buy zero-day vulnerabilities.
When a zero-day vulnerability is found and directly reported to the company, that hole in the security system can be fixed, which protects all the other users on the system. But when people sell these vulnerabilities on the gray market, that security vulnerability remains unpatched, leaving people’s personal information at risk [3] of black hat hackers.
Black hat hacker (n): Someone who exploits software vulnerabilities illegally, often for monetary gain.
We know of at least one instance where the United States government, working with the Israeli government, utilized multiple zero-day security vulnerabilities in a digital attack against another nation-state. In 2010, an Iranian uranium enrichment facility was almost halted when malicious software released on the internet took over machines within the facility. This bug is so infamous as the first digital weapon used to attack another nation-state that it has a name: Stuxnet. Stuxnet was a very sophisticated piece of software that contained four zero-day vulnerabilities and had the potential to do a lot of damage, while managing to remain hidden for years.
From Cambridge Analytica to Equifax, software security scandals commonly appear in our news headlines. As more of our lives become "smart," digital citizens are more exposed to the risks of security vulnerabilities than ever before. We increasingly rely on software to perform daily tasks and are thus exposed to security threats by the lucrative gray market, where hackers sell software vulnerabilities for millions of dollars. But digital citizens aren't entirely exposed. We have white hat hackers who search for and find the same zero-day vulnerabilities on the gray market, and report them to bug bounty programs. Not all heroes wear capes – sometimes, they wear white hats.
Interested in learning more about the history and hidden world of hacking? Here are some books written by women in STEM on this topic:
This is How They Tell me the World Ends: The Cyberweapons Arms Race by Nicole Perlroth Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon by Kim Zetter
[3] This can sometimes be advantageous. For example, Microsoft is known for giving governments a heads-up when they find security vulnerabilities in its operating system so that the NSA can access terrorists’ computers and gain information. https://www.bloomberg.com/news/articles/2013-06-14/u-s-agencies-said-to-swap-data-with-thousands-of-firms