The UAE-based company Advanced Security Solutions, which launched this month, offers up to $20 million for zero-day vulnerabilities and exploits that would allow hacking any smartphone via a text message. This is among the highest prices of any vulnerability broker, at least among those that disclose such figures publicly.
In addition to $20 million for exploits for any mobile OS, the company is also offering large rewards for zero-day vulnerabilities in other software:
- up to $15 million for 0-days that lead to full compromise of Android and iPhone;
- up to $10 million for similar exploits for Windows and Linux;
- up to $5 million for similar exploits for the Chrome browser;
- up to $1 million for similar exploits for Safari and Microsoft Edge.
At the same time, it’s unclear who is behind the company and who its clients are.
“We help government agencies, intelligence services, and law enforcement conduct precise operations on the digital battlefield,” reads the Advanced Security Solutions website. “We maintain ongoing cooperation with more than 25 governments and intelligence agencies worldwide. Our clients keep coming back for new services, reflecting the trust and strategic value we provide in critical operational contexts, including the fight against terrorism and drug trafficking.”
The website also claims that although the company is new, it employs “only professionals with more than 20 years of experience in elite intelligence units and in private military contracting.”
As reported by TechCrunch, citing its own sources in the vulnerability brokerage market, Advanced Security Solutions’ pricing is roughly in line with the market average.
“Usually the quoted prices are quite realistic,” a source told the publication on condition of anonymity. He also added that a $20 million payout isn’t considered huge on the 0-day market, and that ultimately “it all depends on your lack of scruples.”
The publication notes that over the past 10 years, the zero-day vulnerability market has grown significantly, both in terms of the number of companies and the prices being offered.
One of the first players in this field was Zerodium, which emerged in 2015. Back then, the company founded by Vupen co-founder Chaouki Bekrar offered up to $1 million for iPhone hacking tools.
Three years later, in 2018, Crowdfense launched its own platform for purchasing vulnerabilities and exploits, offering up to $3 million for similar zero-days.
Lately, prices for 0-days have risen — partly due to increased demand, and partly because hacking modern devices and software is becoming increasingly difficult thanks to improved security.
Last year, Crowdfense published a new price list, offering up to $7 million for zero-day vulnerabilities in the iPhone and up to $5 million for similar exploits for Android. Zero-days in specific apps have also become much more expensive. For example, up to $8 million for exploits in WhatsApp and iMessage, and up to $4 million in Telegram.
For comparison: Advanced Security Solutions offers up to $2 million for exploits targeting Telegram, Signal, and WhatsApp.
It is also worth noting that at the beginning of this year, the Russian vulnerability broker Operation Zero was an outlier in the market, offering up to $20 million for the same types of exploits that Advanced Security Solutions is now seeking.
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →