back to article Fancy buying a compact and bijou cardboard box home in a San Francisco alley? This $2.5m Android bounty will get you nearly there

Bug-broker Zerodium says it will cough up as much as $2.5m in exchange for techniques to silently and remotely hijack Android devices via critical vulnerabilities, signaling a major change in the pricing of security holes. A new payment structure revealed on Tuesday made clear that flaw-hunters who hook Zerodium up with proof- …

  1. Intractable Potsherd

    What is the purpose of Zerodium? Exploits should be notified to the manufacturer so they can be fixed, not pimped to a third party. The whole thing sounds *very* dodgy to me, because Zerodium obviously need to make money, so who do they sell the exploits to?

    1. Shady

      Re: easy pickings

      If you encode "Z3r0d!ium" with a salt of c1a, 3DES encrypt, MD5 the result then use RSA256 on the output, the first three letters are NSA. Coincidence? I think not....

    2. Anonymous Coward
      Anonymous Coward

      The purpose is they resell them

      The more they can make reselling them (probably multiple times) the more they are willing to pay.

  2. Anonymous Coward
    Anonymous Coward

    Why not in jail

    Why are the people in Zerodium not in some crazy max torture prison?

    Clearly they brag about buying and selling the exact same tools used by others that end up in jail. But these asshats get a free pass?

    They can't be to hard to find - burn them like the witches they are!!!!!

    1. LewFoo

      Re: Why not in jail

      Interesting that you only desire to inflict punishment upon those who FIND and exploit device implementation failures, and yet you are perfectly willing to give a free pass to those who inflict such carelessness on their unsuspecting cursomers. What about the utter lack of responsibility of those who created their tainted witches brew in the first place.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why not in jail

        lol that's ridicules. They all need to burn, I don't like anyone getting away with that crap - not even you. and I love you LewFoo (warm wind?)

  3. Anonymous Coward
    Anonymous Coward

    The price probably depends on who is buying them

    Especially for buyers willing to pay more for an "exclusive" - i.e. Zerodium sells only them to instead of to multiple buyers.

    You'll pay more for an iPhone exploit if you are looking for "richer" targets for e.g. financial crime - because iPhones cost a lot more than all but high end Androids (which are a single digit percentage of the overall Android market) iPhone owners are richer on average and thus are more desirable for criminals trying to steal from phone owners.

    You'll pay more for an Android exploit if you are a government looking to target as many people as possible for e.g. government surveillance of protests - because Android has a larger installed base and it continues to grow on the low end as feature phones get replaced by sub $50 Androids on the extreme low end.

    If you surveil only Android phones you'll probably get all the info you need to track protest / dissident type events even if you ignore the iPhones because there's no way ALL of the leaders have iPhones. But if you want to look for terrorists you can't ignore either, because a cell with only a few people might be all one type of phone.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like