Bidding War: A New Firm Is Offering a Record $20 Million for Zero-Day Exploits
A new entrant from the United Arab Emirates has shaken up the tightly controlled vulnerability market. Advanced Security Solutions, launched in August, has announced its willingness to pay up to $20 million for smartphone exploitation tools. These are so-called zero-day vulnerabilities—flaws in software unknown to the vendor and therefore lacking patches. Such capabilities are in especially high demand among intelligence services, cyber-operations units, and national security agencies.
According to its website, the company claims to work with more than 25 governments and security organizations worldwide. It further asserts that its team has over two decades of experience in elite intelligence divisions and private military companies. However, no details have been disclosed about its investors, owners, or leadership, nor about which governments the company intends to supply. The company itself has provided no public comment.
Advanced Security Solutions has published price lists that surpass those of its competitors. For a universal exploit capable of breaching any mobile platform, the company offers $20 million. It also lists specific bounties for targeted platforms:
- $15 million for Android and iOS
- $10 million for Windows
- $5 million for Chrome
- $1 million for Safari and Microsoft Edge
- Up to $2 million for messengers such as WhatsApp, Signal, and Telegram
These figures are strikingly high, though not unprecedented. Operation Zero previously made similar offers, including $1.5 million for a zero-click remote code execution (RCE) exploit and $500,000 for a one-click RCE vulnerability requiring user interaction, such as opening a message. Their offers extended across all versions of Telegram for Android, iOS, and Windows.
The history of this market reveals a steady and dramatic rise in exploit prices. In 2015, Zerodium became the first to publicly publish a price list, offering up to $1 million for an iPhone exploit. By 2018, Crowdfense entered with bids reaching $3 million. In 2024, Crowdfense raised its rates even further, to $7 million for iOS exploits, $5 million for Android, and up to $8 million for WhatsApp or $4 million for Telegram vulnerabilities.
As defenses in modern devices grow increasingly sophisticated, the cost of viable exploits continues to soar. Today, such transactions have evolved into high-risk, high-reward investments, where a single discovery can be worth tens of millions. Yet many researchers remain wary of new, opaque players. One anonymous source familiar with the market noted that while the sums offered by Advanced Security Solutions are realistic, he would hesitate to collaborate with a company that conceals its ownership and clientele.
