Considering a career change? The prices of zero-day hacking tools continue to rise. In a new pricing list published this week, spotted by TechCrunch, startup Crowdfense said that it will pay between $5 and $7 million for zero-days to break into iPhones.
How much are iPhone exploits worth?
As explained by TechCrunch, these exploits are referred to as “zero-days” because they “rely on unpatched vulnerabilities in software that are unknown to the makers of that software.”
Companies like Crowdfense and one of its competitors Zerodium claim to acquire these zero-days with the goal of re-selling them to other organizations, usually government agencies or government contractors, which claim they need the hacking tools to track or spy on criminals.
According to its new pricing list, Crowdfense said that it will pay between $5 and $7 million for iPhone zero-days, and up to $5 million for Android zero-days.
- Google Chrome zero-days: up to $3 million
- Safari zero-days: up to $3.5 million
- iMessage zero-days: between $3 and $5 million
- WhatsApp zero-days: between $3 and $5 million
These numbers have all increased compared to Crowdfense’s last round of prices, published in 2019. In that report, the company was offering $3 million for both Android and iPhone zero-days. TechCrunch explains that this is a byproduct of companies including Apple and Google improving platform security and becoming quicker at patching vulnerabilities that do arise.
Crowdfense’s payouts are now the “highest publicly known prices” outside of Russia, TechCrunch says:
Crowdfense currently offers the highest publicly known prices to date outside of Russia, where a company called Operation Zero announced last year that it was willing to pay up to $20 million for tools to hack iPhones and Android devices. The prices in Russia, however, may be inflated because of the war in Ukraine and the subsequent sanctions, which could discourage or outright prevent people from dealing with a Russian company.
Apple offers its own Apple Security Research Bounty program, through which security researchers can earn a maximum of $2 million.
The full report at TechCrunch offers an interesting look at the broader world of zero-day exploit payouts and bounty programs.
Follow Chance: Threads, Twitter, Instagram, and Mastodon.
FTC: We use income earning auto affiliate links. More.