Skip to main content

Zero-day exploit pricelist unveiled

Exploit acquisition platform Zerodium has just published a price chart for different classes of digital intrusion techniques and software targets that it buys from hackers and later resells in a subscription service to its clients.

This is important as it is the first time someone has publically put a price tag on hacking.

Consequently, it has gained a lot of attention and while some praise the move, others are disgusted.

Hacking a WordPress-based website and remotely executing code is fairly cheap – it can be done for $5,000 (£3,200). But doing same on Flash Player can cost you up to $50,000 (£32,000). Remote exploits that entirely defeat the security of an Android or Windows Phone device go for as much as $100,000. And an iOS attack can earn a hacker half a million dollars, by far the highest price on the list.

Wired, which broke the story out on Wednesday, says the move "could actually encourage more hackers to sell the intrusion methods they create; Independent security researchers have long complained that the lack of public pricing in the zero-day trade makes it difficult for them to get a “fair” price”.

But there are other opinions, as well. Publicly trading in secret intrusion techniques has made Zerodium CEO Chaouki Bekrar a target for criticism from both the privacy community and the software companies whose hackable flaws he exploits for a profit. Google security staffer Justin Schuh once called him an “ethically challenged opportunist.” ACLU lead technologist Chris Soghoian has labelled Bekrar’s Vupen a ““modern-day merchant of death,” selling “the bullets for cyberwar.”

The full pricelist can be found on Zerodium’s website.