Did you know that government agencies in the United States and access Europe are willing to pay hundreds of thousands of dollars to get their hands on zero-day exploits? Now I am sure the first question that comes to your mind after reading this statement is what is a zero-day exploit. Well, a zero-day exploit is an exploit that has not been publicized or brought to the attention of the manufacture of that software. This means essentially, the only two people with knowledge of the exploit is the hacker that discovered it and the agency purchasing the exploit.
Hackers sell their exploits to government agencies through a broker that has the right contacts. Forbes recently interviewed one of these brokers who goes by the handle of Grugq. Since he began hooking up his hacker friends with contacts in government a year ago, the Grugq says he’s on track to earn a million in revenue this year (he takes a percentage off the amount given to the hacker).
Seeing just how much money zero-day exploits go for in this secretive, but legal was unknown until Forbes was able to speak with various sources in the industry. In the table below you can see a rough list of prices that various exploits go for:
The price factor is of course based on the difficulty of cracking and how widely the target software is used. That is the reason why a Windows exploit pays more than a Mac OS X exploit; because there are so many more Windows computers used though out the world. An iOS exploit however, pays significantly more than an Android exploit because of the tougher security measures used.
In fact, the JailbreakMe 3.0 exploit creator, Comex could have gotten over $250,000 if he had contacted a broker like Grugq.
For the Jailbreakme 3 iOS exploit created by the hacker Comex last year, the Grugq says he heard agencies would have been eager to pay $250,000 for exclusive use of the attack.
Grugq goes on to saying that “You’re basically selling commercial software, like anything else. It needs to be polished and come with documentation,” he says. “The only difference is that you only sell one license, ever, and everyone calls you evil.”
What do you think of this emerging industry? Do you think people like Grugq are smart entrepreneurs or the modern-day merchants of death? Share your thoughts and responses in the comments section below…