New Vulnerability Broker Offers Up to $20 Million for Exploits
A newly emerged company, Advanced Security Solutions (UAE), is offering rewards of up to $20 million USD for zero-day vulnerabilities that enable hacking any smartphone via a single text message. This figure places it among the highest-paying vulnerability brokers—at least among those that disclose pricing publicly.
Record-Breaking Bounties
In addition to its $20 million offer for mobile OS exploits, Advanced Security Solutions has posted substantial payouts for other software:
- Up to $15 million for zero-days that achieve full compromise of Android or iOS devices
- Up to $10 million for exploits affecting Windows and Linux
- Up to $5 million for exploits targeting the Chrome browser
- Up to $1 million for exploits against Safari and Microsoft Edge
The company is also offering up to $2 million for vulnerabilities in popular encrypted messaging apps such as Telegram, Signal, and WhatsApp.
A Mysterious Player
Despite its bold pricing, little is known about who is behind Advanced Security Solutions or who its clients might be.
“We help government agencies, special services, and law enforcement conduct precise operations on the digital battlefield,” the company states on its website. It further claims to maintain “ongoing cooperation with more than 25 governments and intelligence agencies worldwide” and emphasizes the “strategic value” of its services in counterterrorism and anti-narcotics operations.
Although the company is newly established, its website insists that it employs “only professionals with over 20 years of experience in elite intelligence units and private military contractors.”
Market Perspective
According to TechCrunch, citing unnamed sources in the exploit brokerage market, Advanced Security Solutions’ pricing aligns with broader industry trends.
“The stated prices are usually quite real,” one source said. They added that even the eye-catching $20 million figure is not unprecedented in the zero-day market, remarking that “it all depends on your lack of scruples.”
Over the past decade, the zero-day market has expanded dramatically—both in the number of players and in the sums being offered.
- 2015: Zerodium, founded by Vupen co-founder Chaouki Bekrar, offered up to $1 million for iPhone exploits.
- 2018: Crowdfense entered the field, with payouts reaching $3 million for similar zero-days.
- 2024: Crowdfense raised its ceiling, offering up to $7 million for iPhone exploits, $5 million for Android, and as much as $8 million for vulnerabilities in WhatsApp and iMessage.
By comparison, Advanced Security Solutions’ current offer—$20 million for mobile OS zero-days—echoes the unprecedented sums earlier this year from Operation Zero, a Russian exploit broker that shocked the market with identical pricing.
Rising Costs, Rising Risks
The steady increase in payouts reflects two factors: a surge in demand from governments and intelligence agencies, and the growing difficulty of hacking modern devices hardened with advanced security features. As prices climb, so too does the controversy surrounding the shadowy marketplace where offensive cyber capabilities are bought and sold.
