A company specializing in acquiring and trading undisclosed software vulnerabilities, known as zero-day exploits, has announced a substantial increase in payouts to researchers.
Operation Zero, based in Russia and established in 2021, revealed on both its Telegram and X (previously Twitter) accounts that it is now offering $20 million for hacking tools capable of breaching iPhones and Android devices. This is a significant escalation from their previous offering of $200,000.
The company emphasized its commitment to collaborating with developer teams by boosting premiums and providing attractive incentives for contractual work.
Operation Zero explicitly stated that its clientele exclusively comprises private and governmental entities within Russia. When asked about this limitation to non-NATO countries, CEO Sergey Zelenyuk declined to provide specific reasons, citing them as "obvious."
Zelenyuk hinted that the current bounties could be temporary and reflect the current market dynamics, especially considering the challenges associated with hacking iOS and Android systems. He explained that prices are influenced by the availability of specific products in the zero-day market.
Presently, complete chain exploits for mobile phones are the most coveted and, consequently, the most expensive products, primarily sought after by government entities willing to pay a premium for exclusive access.
For over a decade, companies worldwide have been offering rewards to security researchers who uncover software vulnerabilities and the corresponding hacking methods.
Unlike conventional bug bounty platforms like Hacker One or Bugcrowd, Operation Zero opts not to inform the affected vendors. Instead, they sell these exploits to undisclosed government customers. This operates within a gray market where prices fluctuate, and the identities of clients remain confidential. However, certain companies, including Operation Zero, have published public price lists.
For instance, Zerodium, established in 2015, provides up to $2.5 million for a sequence of vulnerabilities that permit the hacking of an Android device with no interaction required from the target. For a similar chain of exploits on iOS, Zerodium offers up to $2 million.
Crowdfense, a competitor headquartered in the United Arab Emirates, matches or exceeds these payouts by offering up to $3 million for comparable vulnerabilities in both Android and iOS.
Zelenyuk expressed skepticism that the bounties offered by Zerodium and Crowdfense will ever drop to lower levels. He contended that while Zerodium's price sheet may be outdated, the company continues to make competitive purchases, demonstrating the resilience of the zero-day market.
The zero-day market operates largely without regulation. However, companies in some regions may be required to obtain government-issued export licenses. This entails seeking permission to sell to specific countries, which may be subject to restrictions. This has led to a segmented market increasingly influenced by political factors.
Notably, a recent law in China mandates that security researchers notify the Chinese government of discovered vulnerabilities before alerting the software developers.
“This new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them,” Microsoft said in a report from last year.