If You're An iOS Hacker, A Powerful Exploit Could Earn You $250,000
by Joe White
March 24, 2012
If you're an iOS hacker who's just uncovered a brand-new exploit in Apple's mobile operating system, the U.S. Government might pay you up to $250,000 for exclusive use of the exploit - but, only if you able to contact one particular gentleman (or, at least someone like him), mysteriously referred to as "the Grugq."
The Grugq is a Bangkok-based security researcher who works as the middle man in deals made between iOS hackers, and the U.S. government. In fact, Mr. Grugq orchestrates deals between hackers of almost every major operating system - desktop and mobile - and large official bodies, such as the United States Government. Because of its huge popularity and the locked-down nature of Apple's mobile operating system, iOS exploits receive the highest payout.
Forbes, in its fascinating piece on the Grugq, explains:
That iOS exploit price represents just one of the dozens of deals the Grugq (pictured above) has arranged in his year-old side career as a middle man for so-called “zero-day” exploits, hacking techniques that take advantage of secret vulnerabilities in software. Since he began hooking up his hacker friends with contacts in government a year ago, the Grugq says he’s on track to earn a million in revenue this year. He arranged the iOS deal last month, for instance, between a developer and a U.S. government contractor. In that case, as with all of his exploit sales, he won’t offer any other details about the buyer or the seller. Even with the $250,000 payout he elicited for that deal, he wonders if he could have gotten more. “I think I lowballed it,” he wrote to me at one point in the dealmaking process. “The client was too happy.”Here's a rough breakdown of payouts for exploits found in operating systems (and applications) ranging from Adobe Reader, OS X and Android to Safari, Chrome and iOS: The Grugq takes a 15 percent cut out of the deals he makes, and 80 percent of his revenue is from the U.S. (he is also able to make deals with other Western governments, besides the U.S.). For the JailbreakMe solution developed by @comex, the Grugq told Forbes that the top price of $250,000 would easily have been offered for exclusive access to the solution. Forbes acknowledges that a key problem with this mode of marketing exploits is that a major exploit could - if the deal is made - end up in the wrong hands. The Grugq criticises companies like Google who, despite offering payouts for exploits found in their Chrome browser, don't offer enough:
Google typically offers a maximum of $3,133.70 for information about the most complex flaws in its software, a number that’s meant to spell out “elite” in hacker slang. But a four-figure price is hardly elite enough for the Grugq. ”If they want their bugs fixed, they can buy them at market rates like everyone else,” he says. “From each according to their ability, to each according to their needs? That’s communism. If they want the output, they can pay for it like anyone else. They have my email.”You can read the full Forbes article by clicking this link.