The UAE-based company Advanced Security Solutions, which launched this month, offers up to $20 million for zero-day vulnerabilities and exploits that would allow hacking any smartphone via a text message. This is among the highest prices of any vulnerability broker, at least among those that disclose such figures publicly.
In addition to $20 million for exploits for any mobile OS, the company is also offering large rewards for zero-day vulnerabilities in other software:
- up to $15 million for 0-days that lead to full compromise of Android and iPhone;
- up to $10 million for similar exploits for Windows and Linux;
- up to $5 million for similar exploits for the Chrome browser;
- up to $1 million for similar exploits for Safari and Microsoft Edge.
At the same time, it’s unclear who is behind the company and who its clients are.
“We help government agencies, intelligence services, and law enforcement conduct precise operations on the digital battlefield,” reads the Advanced Security Solutions website. “We maintain ongoing cooperation with more than 25 governments and intelligence agencies worldwide. Our clients keep coming back for new services, reflecting the trust and strategic value we provide in critical operational contexts, including the fight against terrorism and drug trafficking.”
The website also claims that although the company is new, it employs “only professionals with more than 20 years of experience in elite intelligence units and in private military contracting.”
As reported by TechCrunch, citing its own sources in the vulnerability brokerage market, Advanced Security Solutions’ pricing is roughly in line with the market average.
“Usually the quoted prices are quite realistic,” a source told the publication on condition of anonymity. He also added that a $20 million payout isn’t considered huge on the 0-day market, and that ultimately “it all depends on your lack of scruples.”
The publication notes that over the past 10 years, the zero-day vulnerability market has grown significantly, both in terms of the number of companies and the prices being offered.
One of the first players in this field was Zerodium, which emerged in 2015. Back then, the company founded by Vupen co-founder Chaouki Bekrar offered up to $1 million for iPhone hacking tools.
Three years later, in 2018, Crowdfense launched its own platform for purchasing vulnerabilities and exploits, offering up to $3 million for similar zero-days.
Lately, prices for 0-days have risen — partly due to increased demand, and partly because hacking modern devices and software is becoming increasingly difficult thanks to improved security.
Last year, Crowdfense published a new price list, offering up to $7 million for zero-day vulnerabilities in the iPhone and up to $5 million for similar exploits for Android. Zero-days in specific apps have also become much more expensive. For example, up to $8 million for exploits in WhatsApp and iMessage, and up to $4 million in Telegram.
For comparison: Advanced Security Solutions offers up to $2 million for exploits targeting Telegram, Signal, and WhatsApp.
It is also worth noting that at the beginning of this year, the Russian vulnerability broker Operation Zero was an outlier in the market, offering up to $20 million for the same types of exploits that Advanced Security Solutions is now seeking.