Hacker News new | past | comments | ask | show | jobs | submit login

What makes you think it wasn't sold?

Even if by another party that could have found it before?




Who would you sell it to and what would the buyer do with it? Outline the scenario you have in mind and we can try to sort out how to leverage this specific bug for $7000 worth of some kind of value.


Conceivably, a state actor could use this bug to eavesdrop on an espionage target, no? There is a market for zero-day exploits, where state espionage entities and criminal organizations both pay to learn about the existence of vulnerabilities like this—with prices in the hundreds of thousands to the millions of dollars.

Are you saying that this particular bug would not be worth more than $7000 in one of these markets, or are you questioning the very existence of these markets?


Conceivably, a state actor could use this bug to eavesdrop on an espionage target, no?

Well, let's try to conceive it. Our state level actor is now in possession of an exploit that lets them eavesdrop on a target when they text-dictate or activate Siri, while wearing particular Apple headphones. After getting the target to install a specific malicious app from the App Store. And to run it. And to give it Bluetooth permission. And to make sure to restart it whenever they reboot their phone or the phone kills it for any reason. The value of this as state-level actor surveillance malware feels a lot closer to $0 than $7000 to me but I'm happy to hear a different conception of how this might work.


You're not wrong from a technical perspective, but typically the purchaser would be a broker that re-sells these types of exploits to a state-level actor, or even to another broker. Said brokers are interested in acquiring exploits that check certain boxes for their gov buyers, and anything that checks the iOS box is always going to be a hot commodity.

Remember, at the end of the day the sale is to the government and they have big pockets and less common sense.


anything that checks the iOS box is always going to be a hot commodity

Shadowy brokers are buying up impractical exploits by mistake seems like an essentially unfalsifiable claim.


The former.


There are a number of actors who buy bugs like this - you largely don’t hear about them because once they became notorious it gets harder for them to do their jobs.

Google The NSO Group for an example, and that’s just private entities. nation state actors are a whole other market for such things.


NSO creates their own chains, they don’t buy them.


CIA, NSA, FBI, and those are just the US-based agencies.


Zerodium would happily buy this for probably $50k minimum.


Is it legal to sell these exploits? Obviously using it is illegal but I wonder if even selling it to someone else who would use it is illegal.

I would happily pick $7,000 clean money over $50,000 dirty.


Legal where? I would wager the overwhelming majority of bug hunters are not in the US.


It’s legal in most of the world, including the US.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: