A company specializing in acquiring and selling zero-day exploits — which are undisclosed software vulnerabilities — has recently announced an astonishing $20 million payout for researchers who can develop hacking tools targeting iPhones and Android devices. This significant increase comes from their previous offering of $200,000 for zero-day exploits on these popular platforms.
Operation Zero, a company based in Russia, made this remarkable announcement through their Telegram accounts and their official account on X, formerly known as Twitter. In their statement, they explained that the substantial increase in payments was part of an effort to encourage developer teams to collaborate with their platform. Operation Zero, launched in 2021, also emphasized that their end users are exclusively non-NATO countries. Although they made this declaration, they did not provide specific reasons for this exclusivity when asked.
Sergey Zelenyuk, CEO of Operation Zero, acknowledged that the current bounties they are offering might be temporary and a reflection of the unique conditions in the market. He pointed out that the difficulty of hacking iOS and Android, coupled with the demand from government actors, drives up the prices of full chain exploits for mobile phones. In some cases, these actors are willing to pay exorbitant sums to acquire these exploits before they become available to other parties.
The practice of offering bounties to security researchers who discover and sell software vulnerabilities and hacking techniques has been ongoing for at least a decade. However, companies like Operation Zero differ from traditional bug bounty platforms like HackerOne or Bugcrowd. Instead of notifying the affected vendors, they directly sell these vulnerabilities to government customers, creating a gray market where prices fluctuate, and customer identities remain secret.
Other companies in this space, such as Zerodium and Crowdfense, also offer substantial bounties for zero-day exploits. Zerodium, established in 2015, provides up to $2.5 million for a chain of bugs that allows customers to hack an Android device without any interaction from the target, such as clicking on a phishing link. For a similar chain on iOS, Zerodium offers up to $2 million.
Crowdfense, a competitor based in the United Arab Emirates, offers up to $3 million for the same kind of bug chain on both Android and iOS.
In response to the bounties offered by Zerodium and Crowdfense, Zelenyuk suggested that he does not believe these prices will decrease significantly. He stated that although the Zerodium price sheet may be outdated, it doesn’t necessarily reflect the current buying prices since the zero-day business continues to function effectively.
The market for zero-days is largely unregulated, but some countries require companies to obtain export licenses from their respective governments, introducing elements of regulation and politics into the market. For example, a law passed in China mandates that security researchers must alert the Chinese government about vulnerabilities before notifying software makers. This has raised concerns that China aims to monopolize zero-days for intelligence purposes, which could have broader geopolitical implications.
In conclusion, the significant increase in bounties for zero-day exploits targeting iPhones and Android devices reflects the growing demand for such vulnerabilities in the global market, driven primarily by government actors. The practice of offering bounties for undisclosed vulnerabilities remains a complex and controversial aspect of cybersecurity, raising concerns about ethics, data privacy, and national security.