It’s a strange world we’re living in: On the one hand everyone, including tech companies and governments, wants their devices – be it their smartphones, PCs, or connected devices – to be as secure as possible. On the other hand there are companies that pay a lot of money to get their hands on the latest 0-day exploits (which incidentally is also to some degree encouraged by the government).
Zerodium is one of these companies. It acquires said exploit for what seems like a lot of money and then sells them to their customers which most likely include governmental institutions (like the ones that produce stately sanctioned spy malware), law enforcement and other interested parties.
To get their hands on exploits and security issues, companies like Zerodium pay serious money. No wonder – they need to pay more than what the typical bug bounty is and make it more lucrative than to just use it as a quick way to gain some money illegally.
$2,000,000 for an Apple iOS remote jailbreak
Now Zerodium has released a new list of what certain bugs are worth to them – and wow can you make a lot of money. On top of the list are Apple iOS remote jailbreaks (Zero Click) with persistence: You’ll get a whopping 2,000,000 dollar for that. WhatsApp, iMessage, or SMS/MMS remote code executions are also of interest and will be worth 1,000,000 dollar.
Generally it is not advised to sell bugs and exploits to companies like Zerodium. Not only is what they are doing in a very gray legal area, it also helps institutions to keep exploits private and – if worse comes to worse – unpatched for years. We have seen the results of practices like this for example with EternalBlue and its fallout.