What is the purpose of Zerodium? Exploits should be notified to the manufacturer so they can be fixed, not pimped to a third party. The whole thing sounds *very* dodgy to me, because Zerodium obviously need to make money, so who do they sell the exploits to?
Fancy buying a compact and bijou cardboard box home in a San Francisco alley? This $2.5m Android bounty will get you nearly there
Bug-broker Zerodium says it will cough up as much as $2.5m in exchange for techniques to silently and remotely hijack Android devices via critical vulnerabilities, signaling a major change in the pricing of security holes. A new payment structure revealed on Tuesday made clear that flaw-hunters who hook Zerodium up with proof- …
Wednesday 4th September 2019 14:17 GMT Anonymous Coward
Why not in jail
Why are the people in Zerodium not in some crazy max torture prison?
Clearly they brag about buying and selling the exact same tools used by others that end up in jail. But these asshats get a free pass?
They can't be to hard to find - burn them like the witches they are!!!!!
Wednesday 4th September 2019 17:56 GMT LewFoo
Re: Why not in jail
Interesting that you only desire to inflict punishment upon those who FIND and exploit device implementation failures, and yet you are perfectly willing to give a free pass to those who inflict such carelessness on their unsuspecting cursomers. What about the utter lack of responsibility of those who created their tainted witches brew in the first place.
Thursday 5th September 2019 03:46 GMT Anonymous Coward
The price probably depends on who is buying them
Especially for buyers willing to pay more for an "exclusive" - i.e. Zerodium sells only them to instead of to multiple buyers.
You'll pay more for an iPhone exploit if you are looking for "richer" targets for e.g. financial crime - because iPhones cost a lot more than all but high end Androids (which are a single digit percentage of the overall Android market) iPhone owners are richer on average and thus are more desirable for criminals trying to steal from phone owners.
You'll pay more for an Android exploit if you are a government looking to target as many people as possible for e.g. government surveillance of protests - because Android has a larger installed base and it continues to grow on the low end as feature phones get replaced by sub $50 Androids on the extreme low end.
If you surveil only Android phones you'll probably get all the info you need to track protest / dissident type events even if you ignore the iPhones because there's no way ALL of the leaders have iPhones. But if you want to look for terrorists you can't ignore either, because a cell with only a few people might be all one type of phone.