The well-known 0-day broker company Zerodium, openly published their “rates” for vulnerabilities. The following list contains dozens of different attacks and techniques that can be applied to a variety of applications and systems. These figures allow a little better understanding of the strange and very private sales market exploits.
“The first rule of a 0-day business: never discuss prices publicly. And you know what? We have decided to publish our list of “purchase price”, “- said Bekrar Chowk (Chaouki Bekrar), CEO and Zerodium soosnovate Vupen, journalists edition of Wired.Unfortunately, Bekrar declined further comment and did not explain why the company has decided to make public the price, and why it was done now.
In general price list Zerodium looks like this:
For example, for remote control of the computer to intercept the victim through Safari or IE company is willing to pay $ 50 000. A more sophisticated “entry point” is considered Chrome: for the attack through Zerodium pays $ 80,000.
List of prices, as can be seen, is not limited to browsers. For example, a vulnerability in WordPress, Joomla and Drupal are valued very low: only $ 5,000 apiece. But on breaking TorBrowser can earn about $ 30 000. The latter amount is particularly amusing in light of the recent charges that brought down the Tor Project management for the FBI and scientists from Carnegie Mellon University. The Tor developers are convinced that the FBI paid a research group of the University of not less than one million dollars for breaking Tor. It seems that the special services highly overpaid.
Remote exploit that will allow to circumvent the protection of Android or Windows Phone, will bring its author $ 100 000. But iOS appears undisputed leader of the list: for the working exploit for the “apple” of the operating system the company is ready to pay $ 500,000.
If anyone is surprised by the amount of half a million dollars for iOS hack, I recall that in September 2015 Zerodium announced a contest, saying that hackers will pay a million dollars if they fail to find 0day in iOS 9, and to provide a working exploit.Earlier this month it was announced that the prize has found its winner – a team of researchers who wished to remain anonymous, the company has fulfilled all the conditions and took the biggest bug bounty reward in history. Representatives Zerodium called it “single action”, that is, hacking iOS 9 has been interested in the company is up to the end of October. Now the problem is obviously lost the acute urgency, and the price tag has fallen by half.
Earlier Chowk Bekrar and the French company Vupen worked primarily with government agencies, intelligence agencies and large corporate clients, selling them to vulnerability. Among the customers there were Vupen NSA, FBI, NATO countries, as well as “their partners”, which Bekrar declined to name. The company’s activities Zerodium, in general, is similar.
Both companies have repeatedly been subjected to harsh criticism. Thus, the leading expert of the American Civil Liberties Union (ACLU) Soghoyan Chris (Chris Soghoian), back in 2012, called Bekrara “modern merchant of death who sell cartridges for cyberwar.” He accused Vupen that the company deliberately turned a blind eye to it, in whose hands will eventually exploits, and what repressive regimes will use them to spy on their citizens.
Photos: Pictures of Money