It might come as a surprise to many of you, but there is a booming market of buying and selling zero-day exploits of popular software and operating systems. An exclusive zero-day hack for iOS could get you anywhere in between $100,000 to $250,000.
According to reports in Forbes, any resourceful hacker today has an option to sell zero-day exploits to government agencies via middlemen like Bangkok based 'the Grugq'. For those of you not familiar with the term 'zero-day hack', it is basically a software hack that tries to exploit security vulnerabilities, which are unknown to others or the developer of software in question.
Traditionally, hackers would tell about a security vulnerability to the original software developer, or present it at a security conference or even participate in zero-day initiatives by software firm and earn $5,000-$10,000. But, within last year the market of selling the hacks to government spy agencies has grown many folds and there are suddenly deals worth millions going around all over.
Forbes report mentions that Grugq, who has started working as a middleman last year itself, is already on track to earn a million in revenue this year, thanks to the 15 percent that he gets on every deal.
While $250,000 for a security exploit might sound like a lot but it requires the hack to be exclusive, work on the latest version of the software and should be unknown to the developer of that particular software. The deal money is sometime paid in instalments, with instalments depending on the hack not getting patched by the original software developer.
Not every hack is worth hundreds of dollars; the price of an exploit is dependent on the popularity of software in question as well as difficulty to crack it. For example an iOS hack is most costly because of the tougher security measures taken by Apple than Android hacks, which are often developed by agencies in-house only.
The middlemen like Grugq prefer selling the hacks to western or European governments, mainly because they pay more than others and there is a huge competition in markets like China from home-grown hackers. Selling to government agencies is also considered safer because deals with mafia or other shady organisations can go south anytime.
Grugq is not alone; there are many other individuals and firms in the business of buying and selling software exploits.
As you would expect, there are individuals and organisations that are vocal against these practices, one of the prominent ones being Chris Soghoian of Open Society Foundations. He has even termed hackers selling exploits to spy agencies as 'the modern day merchants of death' selling 'bullets of cyberwar'.