Skyrocketing Bounties for Zero-Day Exploits: Mobile Device Hacks Now Worth $20M
No attachments for this post
Operation Zero, a Russia-based company specializing in the acquisition and sale of zero-day exploits, has recently increased its bounty price for hacking tools targeting iPhones and Android devices. This hike, announced via their Telegram and official X (previously Twitter) accounts, now stands at an unprecedented $20 million, up from the previous $200,000.
By boosting the rewards and introducing competitive plans, Operation Zero aims to incentivize developer teams to collaborate with their platform. They've always maintained their client base is exclusive to non-NATO countries, with their website specifically mentioning that their clients comprise "Russian private and government organizations only." Sergey Zelenyuk, CEO of Operation Zero, didn't elaborate on this exclusivity, hinting only at "obvious reasons."
Zelenyuk indicated that their current bounty offers could be short-lived, reflecting the market's current state and the challenges tied to hacking iOS and Android systems. The market demand determines the pricing of zero-day exploits. He highlighted, "Full chain exploits for mobile phones are currently the priciest, mainly procured by government entities."
Historically, global firms have incentivized security researchers for years, offering handsome rewards for bugs and hacking techniques. Unlike conventional platforms like Hacker One or Bugcrowd, entities like Operation Zero bypass the vendors of the vulnerable products, choosing instead to cater to governmental clientele.
This niche market operates in shades of gray, with volatile pricing and often confidential customer identities. However, there are public pricing structures, like those from Operation Zero. For instance, Zerodium, operational since 2015, pays up to $2.5 million for hacks that compromise an Android device without user interaction. They offer $2 million for similar iOS hacks. Given the enhanced security features in contemporary mobile devices, hackers might need a series of zero-days to completely breach a device.
Crowdfense, a UAE-based rival, proposes up to $3 million for a similar chain of bugs on both Android and iOS.
Zelenyuk, commenting on the price listings by Zerodium and Crowdfense, is skeptical about the bounties diminishing.
The zero-day marketplace remains predominantly unregulated. In specific nations, companies need governmental export licenses, leading to a market fractured by political undercurrents. Recent Chinese regulations, for instance, dictate that bugs are first reported to the Chinese government, positioning China to potentially monopolize the zero-day market for intelligence use. Microsoft's report from last year suggests such regulations may empower the Chinese government to amass and weaponize reported vulnerabilities.
Comments on this post
No comments have been added for this post.
You must be logged in to make a comment.