26 Mar

How Much You Can Get Paid For Finding Security Vulnerabilities?



Hacking is fun. Hacking is risky. Hacking is a talent.

But If you’re a clever hacker, you can earn lot of money these days by making the right choices.
Find a zero-day exploit in a device like an iPhone/ iPad, for instance, and report it to Apple and present it at a security conference to win fame & lucrative consulting gigs.
Or you can sell the exploits to government agencies via middlemen who charge around 15% commission for setting up the million dollar deal. One of such middlemen is a Bangkok-based security researcher who goes by the name “the Grugq”.


According to a report on Forbes, these agencies don’t tell the public about the code they are paying for because they use it to gain access to their target’s devices.

Below is the rough price list of selling zero-day exploits to these Government Agencies. The price of finding security vulnerabilities in iOS is the highest, thanks to its stronger security followed by Google Chrome, Internet Explorer, Firefox and Safari.


Now the question comes, Who’s paying these prices? Western governments(specifically the U.S.), European Agencies and even the Chinese Government. And the sale depends not just on the ethical concerns but also who pays more.
Sometimes, the buyer are also the private sector clients who merely use the exploits as a proof-of-concept for marketing purposes.

Being a Hacker, you can also sell these exploits to software vendor itself. Firms like Mozilla, Google and Facebook offer a few thousand dollars for reporting bugs. Google typically offers a maximum of $3,133.70 for such information.