A zero-day is a security flaw that has not yet been patched by the vendor and can be exploited and turned into a powerful but fragile weapon. Governments discover, purchase, and use zero-days for military, intelligence and law enforcement purposes — a controversial practice, as it leaves society defenseless against other attackers who discover the same vulnerability.
Why zero-days are dangerous
A zero-day gets its name from the number of days that a patch has existed for the flaw: zero. Once the vendor announces a security patch, the bug is no longer a zero-day (or "oh-day" as the cool kids like to say). After that the security flaw joins the ranks of endless legions of patchable but unpatched 0lddays.
In the past, say ten years ago, a single zero-day might have been enough for remote pwnage. This made discovery and possession of any given zero-day extremely powerful.
Today, security mitigations in consumer operating systems like Windows 10 or Apple's iOS mean that it is often necessary to chain together several, sometimes dozens, of minor zero-days to gain complete control of a given target. This has driven the black market payout for a remote execution zero-day in iOS to astronomical levels.
The black market for zero-days
Want to make a cool $1.5 million? Find the right kind of iPhone zero-day and sell it to Zerodium, one of the more prominent players that claims to pay "the highest bounties on the market," according to their website. Brokers like Zerodium sell only to the military-espionage complex, but the secret police of repressive regimes around the world are also known to buy zero-day exploits to hack journalists and persecute dissidents.
Unlike the grey market that restricts sales to approved governments, the black market will sell to anyone, including organized crime, drug cartels, and countries like North Korea or Iran who are excluded from the grey market.
Regulating the black/grey market for zero-day exploits has been a struggle the Wassenaar Arrangement has failed to deal with, at least so far. Wassenaar prohibits the export of dual-use technologies, such as centrifuges, to proscribed countries. A 2013 proposal to put controls on that could be used for malicious purposes was shot down, and many believed that proposal would make things worse rather than better.
Today any sufficiently motivated government or criminal enterprise can get its hands on hacking tools, including zero-day exploits, regardless of regulation.
Bug bounties vs. coordinated vulnerability disclosure
Black hats who don't care that their zero-days could wind up helping torture dissidents will get the most money from the black or grey markets. Security researchers with a conscience are best off reporting zero-day vulnerabilities to the vendor. Organizations of any significant size should publish a vulnerability disclosure process, which publicly promises to hold harmless good-faith reports of security issues and triages the reported issues internally. This is now a best practice standardized in ISO 29147 and ISO 30111.
To encourage reports of zero-day vulnerabilities, organizations can optionally offer a bug bounty program, which stimulates research and disclosure by offering substantial financial payouts to ethical security researchers. These payouts do not and will never rival the black market, but instead aim to reward security researchers who do the right thing.
Should the government hoard zero days?
The NSA, CIA and FBI all discover, purchase and use zero-day exploits, a controversial practice that has drawn criticism. By using zero-days to hack criminals, and not reporting those flaws to the vendor for patching, the government makes us all vulnerable to criminals and foreign spies who might find--or steal--those zero-day vulnerabilities, thus making us all less safe. If the government's job is to protect us, then they should be playing defense instead of offense, critics argue.
In the U.S., the Vulnerabilities Equities Process (VEP) is the flawed mechanism that Washington currently uses to evaluate zero-day vulnerabilities for disclosure. Criticized as ineffective by many, the VEP attempts to balance offense and defense, and decide which security flaws should be reported to the vendor and which should be hoarded for offensive purposes.
The release of the Shadow Brokers exploits, including the ever-popular EternalBlue exploit, raised further questions about what the government should be hoarding. The Shadow Brokers, widely believed to be a cutout for Russian intelligence, stole NSA hacking tools and dumped them online for free. Criminal elements seized these powerful NSA cyberweapons and used them for criminal purposes, and the resulting chaos is still being felt to this day.
Patching is a bigger problem than zero days
Zero-days are sexy and exciting but, let's face it, not as big a deal as they used to be. Just because a vendor has announced a patch doesn't mean vulnerable devices get patched. In many cases, such as with IoT devices, thingumajiggers get shipped from the factory in a vulnerable state, and then never get patched. Sometimes it's physically impossible to patch these devices. A security patch published by the vendor does little good if that patch never gets deployed in production.
As a result, 0ld-days are often more than sufficient for attackers, of both the criminal and government variety. In many cases attackers who possess zero-day exploits prefer not to use them, resorting to 0ld-days instead, because using a zero-day exploit against a savvy defender could disclose that zero-day to the defender. This make zero-day exploits fragile weapons, especially when deployed in the covert wrestling match between nation-states taking place on the cyber domain today.