Exploit Vendor Publishes Prices For Zero-Day Vulnerabilities

An anonymous reader writes: An exploit vendor published a price list for the zero-day bugs it's willing to buy. The highest paid bugs are for remote jailbreaks for iOS. Second is Android and Windows Phone. Third there are remote code execution bugs for Chrome, Flash, and Adobe's PDF Reader. This is the same company that just paid $1 million to a hacker for the first iOS9 jailbreak.

Still legal?

[Rob MacDonald]

I'm still confused as how this exploit market is still legal. Security research has legal purposes, exploit discovery has legal purposes. But the selling of exploits on an open market seems to only have one purpose. Using those exploits for something nefarious. So on the one hand according to some, just the fact that there is torrent traffic on my network makes me a criminal..... but on the other this company can buy and sell exploits to be used to hack and attack people and it's perfectly legal? Sounds about right.

Re:

[MagickalMyst]

"I'm still confused as how this exploit market is still legal. "

The company is probably a front for NSA/CSIS/GCHQ/Mossad/.

For all intensive purposes, these agencies are above the law.

Re:

[Rob MacDonald]

From what I've read and watched, the NSA/CSIS/GCHQ/Mossad are some of these vendors biggest, mostly undisclosed, customers

Re:

[invictusvoyd]

Are you suggesting they don't have the money to hire talent for zero day exploits?

Re:Still legal?

[Anonymous Coward]

For all intensive purposes

For all intents and purposes.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[swillden]

Is it possible to make a secure product? Absolutely.

Stop right there. This statement is false, at least with respect to systems of significant complexity. This is completely obvious when you realize that software security defects are just bugs. You'll never have perfectly secure software until you have perfect software.

Unless we want to dramatically reduce the complexity (and hence capabilities) of the systems we use, to a point where we can produce formally-verifiable security and correctness proofs, there will always be vulnerabilities. If you accept you

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Guybrush_T]

That could actually turn into a very sane situation. If you add a constraint to sell the vulnerability to the responsible company if that company is willing to match the highest bidder, then it could be really helpful :

- Security researchers get paid for their work

- Companies get an incentive to improve security before releasing products

Re:

[Rob MacDonald]

No, the vendor buys exploits from the researchers that discover them. Then the vendor turns around and sells said exploit. You can google a bit and find some enlightening interviews about this, including one from one of the most prominent researchers from years past who notes that most of the exploits he sold (very nasty, made lots of money) were never actually patched, some of which likely showed up in that trove of NSA docs. The vendor has to have a product to sell, and these guys are mostly a market s

Warrant or 5 eyes for US brands?

[AHuxley]

Warrant or NSL for US brands access?
If the 5 eye nations can just ask for US access or go to a friendly US court or have access designed in under US law whats the payment for the big US brands for?
Why is Linux, VM and Tor browser so cheap or easy or well covered vs US brands that enthusiastically helped US and UK gov with decryption in the past are so expensive? Even some anti virus options seem to be lower on the list?
A remote jail break on a cell like device seems like any offering that a US warrant

Re:

[Actually, I do RTFA]

Why is Linux, VM and Tor browser so cheap or easy or well covered vs US brands that enthusiastically helped US and UK gov with decryption in the past are so expensive?

Because the number of Linux people who do online bakning in a VM hrough TOR is small. The number of iOS people who do banking on their phoine is large.

Room for corruption here

[bagofbeans]

Software developer in cahoots with security researcher could design in an obscure bug for the security researcher to 'find', and $$$.

Re:

[Sir Holo]

MOD PARENT UP!

Spot-on. The phenomenon is not new, either. Symantec got big in the late 1980's and early 1990's by awarding bounties for discovery of "new viruses". To help, they provided examples of 'known' viruses.

To a kid in high school or college, this was an easy $50.
* Copy one of their "examples"
* Change something very minor in a hex editor
* Use a printout or send code via a BBS (per-internet, remember?)
* Profit! (I did.)

And PROFIT Sym