
A Zero Day Broker’s Price List - pthreads
http://www.wired.com/2015/11/heres-a-spy-firms-price-list-for-secret-hacker-techniques/
======
roel_v
So finding a way to sneak an obfuscated bug into a library used by Webkit now
yields 500k? Opens the door for a whole new class of 'open source monetization
strategies'. Seems like it starts to make sense to pay people to infiltrate
core dev groups of infrastructure libraries.

~~~
1245683
500k are for a remote jailbreak on iOS from the web browser, not just for code
execution in the sandboxed browser. So a webkit vulnerability alone will not
be enough, you will need to chain multiple 0 days in order to escape the
sandbox, and a kernel memory corruption vulnerability to "jailbreak it". and
additionally you will need a codesign vulnerability to run the untether
exploit everytime the device boots because the jailbreak is not persistent
otherwise.

------
tantalor
> For the harder target of Google Chrome, Zerodium’s price rises to $80,000

>> Rewards for qualifying bugs typically range from $500 to $50,000.
[https://www.google.com/about/appsecurity/chrome-
rewards/inde...](https://www.google.com/about/appsecurity/chrome-
rewards/index.html)

Maybe the bug bounty is too low?

~~~
SFjulie1
Yes let's give more incentive to be black hats.

Anyway, IT has still not proven positive impact on the real world economy...

IT startup are fed up with cash since 20 years and every benefits seems to be
sunk into a fast obsolescence sink.

In terms of engineering it is like comparing the F16 now from 40 years ago:

new F16 has a lot of electronic devices, BUT costs more to operate, lose in
dogfight vs its former self and former Mig/Suckhoi, it is 9 tons heavier, it
costs way more to build...

Nowadays, IED are costing peanuts, and russia is frigthening europa with
planes that should be in museums loaded with nuclear missiles.

In economics as in war, costs matters. And at one point for making financial
transaction, the costs of security will matter. Given a point of distrust,
people may revert back to old tech like faxes and unplugged networks and
notice they are more competitive this way.

------
kpcyrd
So they know about vulnerabilities in all those products and keep them private
for profit?

Good thing the secret services have no access to those exploits. Fun times we
live in.

Edit: /s was omitted as an exercise for the reader.

~~~
have_faith
I could spot the sarcasm a mile off, but them I'm British.

~~~
secfirstmd
I'm Irish, I laughed.

