Exploit Vendor Publishes Prices For Zero-Day Vulnerabilities

An anonymous reader writes: An exploit vendor published a price list for the zero-day bugs it's willing to buy. The highest paid bugs are for remote jailbreaks for iOS. Second is Android and Windows Phone. Third there are remote code execution bugs for Chrome, Flash, and Adobe's PDF Reader. This is the same company that just paid $1 million to a hacker for the first iOS9 jailbreak.

Still legal?

[phishybongwaters]

I'm still confused as how this exploit market is still legal. Security research has legal purposes, exploit discovery has legal purposes. But the selling of exploits on an open market seems to only have one purpose. Using those exploits for something nefarious. So on the one hand according to some, just the fact that there is torrent traffic on my network makes me a criminal..... but on the other this company can buy and sell exploits to be used to hack and attack people and it's perfectly legal? Sounds about right.

Re:Still legal?

For all intensive purposes

For all intents and purposes.

Re:Vendor buys its own exploits?

[phishybongwaters]

No, the vendor buys exploits from the researchers that discover them. Then the vendor turns around and sells said exploit. You can google a bit and find some enlightening interviews about this, including one from one of the most prominent researchers from years past who notes that most of the exploits he sold (very nasty, made lots of money) were never actually patched, some of which likely showed up in that trove of NSA docs. The vendor has to have a product to sell, and these guys are mostly a market so they don't actively find and build exploits, they simply created the market to sell them and make profit. 1000$ to hacker A for finding it then they turn around and sell it to the NSA for 15,000$ (pure speculation on my part)

Room for corruption here

[bagofbeans]

Software developer in cahoots with security researcher could design in an obscure bug for the security researcher to 'find', and $$$.