It's been known for a while that there's a huge market for buying and selling zero-day exploits in popular software and operating systems. Traditionally, hackers would inform the original software developer about a security vulnerability, present it at a security conference, or participate in competitions that pay for new zero-day exploits. Recently, the market of instead selling the hacks to governments around the world has exploded. Unsurprisingly, the most lucrative types of customers are the authorities. In fact, an undisclosed U.S. government contractor recently paid $250,000 for an iOS exploit.
Hackers today are selling zero-day exploits to government agencies via middlemen who charge a commission for setting up the deal. The organizations don't tell the public about the code they pay for because they use it to gain access to their target's devices. Selling to them is considered safer than striking deals with the mafia or other shady organisations because in those cases talks can go south at any time.
Forbes has put together the chart above listing the prices for a single hacking technique, after speaking with multiple sources. According to one middleman, security vulnerabilities in Apple's mobile operating system are very rare thanks to its stronger security, compared to something like Android. While iOS exploits are the most lucrative, they're not, however, the only ones that can bring a six figure pay day.
Browser vulnerabilities in Chrome, Internet Explorer, Firefox, and Safari are next, with the more popular browsers getting hackers more cash. These are followed by the most popular Microsoft software (Windows and Word). Last but not least, if you can't find a security hole in a browser, there's always Flash and Java that you can go after to get yourself up to $100,000.
The price goes up if the hack is exclusive, works on the latest version of the software, and is unknown to the developer of that particular software. Also, more popular software results in a higher payout. Sometimes, the money is paid in instalments, which keep coming as long as the hack does not get patched by the original software developer.