Buying Exploits on the Grey Market
This article talks about legitimate companies buying zero-day exploits, including the fact that “an undisclosed U.S. government contractor recently paid $250,000 for an iOS exploit.”
The price goes up if the hack is exclusive, works on the latest version of the software, and is unknown to the developer of that particular software. Also, more popular software results in a higher payout. Sometimes, the money is paid in instalments, which keep coming as long as the hack does not get patched by the original software developer.
Yes, I know that vendors will pay bounties for exploits. And I’m sure there are a lot of government agencies around the world who want zero-day exploits for both espionage and cyber-weapons. But I just don’t see that much value in buying an exploit from random hackers around the world.
These things only have value until they’re patched, and a known exploit—even if it is just known by the seller—is much more likely to get patched. I can much more easily see a criminal organization deciding that the exploit has significant value before that happens. Government agencies are playing a much longer game.
And I would expect that most governments have their own hackers who are finding their own exploits. One, cheaper. And two, only known within that government.
Here’s another story, with a price list for different exploits. But I still don’t trust this story.
Burzmali • April 2, 2012 8:31 AM
Were I a shadowy government agent with a team of security experts working at finding exploits for me around the clock, I might be tempted to grab an exploit or two that don’t quite pass muster (easy to trace or likely to be patched quickly) and sell them to one of these gray marketeers through some front. That way, we they start selling it around the world, I can identify his more aggressive customers and then leak the exploit to the software’s developers.