US government pays $250,000 for iOS exploit

US government pays $250,000 for iOS exploit

Summary: Selling exploits to government agencies is becoming a more and more lucrative business. Hackers can get paid anywhere between $5,000 and $250,000 for a security vulnerability.


It's been known for a while that there's a huge market for buying and selling zero-day exploits in popular software and operating systems. Traditionally, hackers would inform the original software developer about a security vulnerability, present it at a security conference, or participate in competitions that pay for new zero-day exploits. Recently, the market of instead selling the hacks to governments around the world has exploded. Unsurprisingly, the most lucrative types of customers are the authorities. In fact, an undisclosed U.S. government contractor recently paid $250,000 for an iOS exploit.

Hackers today are selling zero-day exploits to government agencies via middlemen who charge a commission for setting up the deal. The organizations don't tell the public about the code they pay for because they use it to gain access to their target's devices. Selling to them is considered safer than striking deals with the mafia or other shady organisations because in those cases talks can go south at any time.

Forbes has put together the chart above listing the prices for a single hacking technique, after speaking with multiple sources. According to one middleman, security vulnerabilities in Apple's mobile operating system are very rare thanks to its stronger security, compared to something like Android. While iOS exploits are the most lucrative, they're not, however, the only ones that can bring a six figure pay day.

Browser vulnerabilities in Chrome, Internet Explorer, Firefox, and Safari are next, with the more popular browsers getting hackers more cash. These are followed by the most popular Microsoft software (Windows and Word). Last but not least, if you can't find a security hole in a browser, there's always Flash and Java that you can go after to get yourself up to $100,000.

The price goes up if the hack is exclusive, works on the latest version of the software, and is unknown to the developer of that particular software. Also, more popular software results in a higher payout. Sometimes, the money is paid in instalments, which keep coming as long as the hack does not get patched by the original software developer.

See also:

Topics: CXO, Apple, Mobile OS, Security, Software, IT Employment

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Where are the editors there?

    Headline reads: "US government pays $250,000 for iOS exploit"

    Story says: "In fact, an undisclosed U.S. government contractor recently paid $250,000 for an iOS exploit."

    The rest of the story is mere hyperbole and supposition, making the headline FALSE.

    You might as well create headlines that read, "US Government pays $1M for garbage collection" because there's a contractor somewhere that pays that much monthly for collection of haz-mat refuse. What's the correlation? I mean, I'm sure that virtually any Government contractor that makes parts for aircraft has pretty hefty bills for disposing of hazardous materials, no?

    It's also the case that US Government pays millions of dollars a year for anti-virus software. If it's OK to use anti-virus software to protect regular computers, then why not purchase exploits to understand vulnerabilities that are not (yet) being addressed by anti-virus and other software for more sensitive computing platforms?

    BTW, how many anti-virus scanners exist for iOS devices today?

    Uhh.... I can't think of a single one. Meaning that if a defense organization wanted to understand the risks of using iOS-based devices, how else are they going to find out? Do you think Apple is going to tell them (if they even know)?

    This is an absurd story, starting with a totally misleading headline.
    • RE: Where are the editors there?

      [i]if a defense organization wanted to understand the risks of using iOS-based devices, how else are they going to find out?[/i]

      Hire Charlie Miller and/or Dino Dai Zovi?
      Rabid Howler Monkey
      • No Budget For That

        but they do have one for paying out for exploits...

        talk about burying your head in the sand.... :D
    • That ain't it

      "if a defense organization wanted to understand the risks of using iOS-based devices, how else are they going to find out?"

      That ain't what this program is about, it's about trying to find ways to hack into the phones used by criminals, international terrorists and whatnot to be able to monitor them.....if you found out that Osama bin Landen was using an iPhone, wouldn't you want to know how to gain remote access to that phone so you could find out what he doing?
      Doctor Demento
  • corporate welfare?

    tax money used to help large corporations anyone?
    LlNUX Geek
    • RE: corporate welfare?

      O Linux Guru Advocate, how come desktop Linux wasn't on the list along with Windows, Mac OS X, iOS and Android? And what do you think a desktop Linux exploit goes for? My guess is around $1,000.
      Rabid Howler Monkey
    • Huh?

      This money isn't going 'to large corporations' it is going to individual hackers who find vulnerabilities and want to sell them....
      Doctor Demento
  • Love my country, but fear my government!!!

    This is yet another example of why our Founders intended to keep government very small, with enumerated powers being its only powers. We've morphed far, far away from those, and now have unfettered government that is a master, not servant, of the people.
  • Errr.....

    Surprised someone can get up to $200,000 for a Chrome vulnerability. After all, Chrome is the buggiest browser on the market. Constantly updating the thing. Usually at least a dozen vulnerabilities ever two weeks [according to the NIST newsletter]. I don't see that many or as often for the other browsers.
    What Google offers for their bounty is peanuts!
    Surprised OSX is so cheap - I guess it's almost as buggy as Adobe Reader/Acrobat.