2

I got discussing this topic with someone recently and we couldn't reach a consensus so I thought I should ask here. There are commonly thrown around figures regarding the cost of buying a remotely-executable 0-day for IOS, Android, Windows etc. I've seen figures go up to $250,000 USD from companies like Vupen, however Vupen don't disclose anywhere on their site how much they will buy or sell exploits for.

With that in mind, is there any concrete proof of high-value exploits being bought and sold by companies and if so at what kind of prices (I'm excluding things like bug bounty programs etc and i've seen this article but i'm not convinced).

In addition to 'legally' acquired exploits, how much do comparable exploits go for on the 'black market'?

NULLZ
  • 11,426
  • 17
  • 77
  • 111
  • Simple, they are worth as much as somebody will pay for them. – Zoredache Nov 27 '13 at 01:37
  • Comparable exploits go for much less in the black market. The same bug that can be sold to the FBI for $75k can be sold by a lone Russian hacker for $20k. The best exploits can be... quite valuable. I recall a Chromium 0day chain and an Nginx 0day that both went for $300,000. – forest Dec 13 '18 at 11:20

2 Answers2

1

It's a bit like asking "How much does a car sell for?" in that there will be intrinsic differences between each exploit, dramatically altering the value. On top of that, the chosen way of monetization will dramatically affect the value also (White hat, black hat, etc). In general I'd suggest black hat methods would probably be more valuable in an absolute sense, ignoring the baggage that goes along with those methods - unless you could consistently produce exploits in which case it would probably be better to be a company such as Vupen.

This article may be of some interest to you - http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees/

Edit: I apologize somehow I did miss that link to the forbes article you posted. I think the issue you have is that the information that you're after just isn't going to be publicly available. The prices customers would be paying along with who is even buying would be some of Vupen's closest guarded secrets, the same would be going for almost every company who is dealing in this type of product.

For an example of a different exploit market you could see something like 1337day[dot]com who has private exploits ranging from $1 - $7000, but not really the type of exploits you're asking about specifically.

Peleus
  • 3,827
  • 2
  • 18
  • 20
  • To quote the article "Bekrar won’t detail Vupen’s exact pricing". Which doesn't really answer anything more than the other forbes article i've linked there. – NULLZ Nov 27 '13 at 00:35
1

Exploits are worth exactly what you can get for them, no more and no less. Microsoft and Google simplify the market by offering to pay the discoverer directly for an exploit and/or patch; this has the added benefit of making the whole transaction public and legal. You can look up their "bounty" rewards on their respective sites; the same goes for many other similar companies.

Selling information on the black market is a dodgy affair, and the implicit cost of doing so makes it much more difficult to calculate the true price; $100 made under-the-table may not be worth nearly as much to you as $100 made free-and-clear. Taking the money may carry risks that far outweigh the monetary value.

Of course, what you can get for it depends on what someone can expect to gain or save with the information. How much time would it take the NSA to make the same discoveries in-house? How much is it worth to them to make sure you don't share the knowledge with anyone but them? How much would a company pay for the information they'd need to patch the software while keeping it off the streets? That of course depends on how much they expect to save or gain or lose.

The result is that you can expect to get anywhere from nothing but a lawsuit on the low end, to low 6-figures on the high end. All depends on factors specific to the case at hand. The range is huge, and the results tend to be unpredictable except as mentioned in the first paragraph above.

tylerl
  • 82,225
  • 25
  • 148
  • 226