Bug bounties are beginning to ramp up again. For certain exploits, like remote mobile exploits, prices have been pegged over $1 million for the past few months. These seem to be ramping toward $1.5 million. More notably, the price of unreleased 0-days for secure messaging apps just hit the $500,000 mark for exploits targeting apps like Signal and WhatsApp. This conflux of events is notable for a variety of reasons. First, before we go into that, let's take a look at why these prices tend to rise, to begin with.
Like most things, there's both supply and demand influencing the prices of released exploits. In the mobile market, we've been aware of the high demand and limited supply of remote exploits for iPhones in particular for over a year. Apple (and Google) have been working hard on securing the underlying operating systems on their devices. iOS has become much harder to jailbreak, for example, in recent years. Android phones have a reputation for being easier to root, but that's starting to change as well.
While underlying operating systems have become more secure, the demand for exploits for these operating systems has been ramping up. We've had glimpses into the toolkits available to nation states over the past couple of years via Wikileaks and similar groups, and what we've been able to see has been sobering. Many of these capabilities have been gradually closed off by various vendors over the years, certainly. But understanding what these kinds of organizations were capable of, and what they'd like to continue doing, gives us a hint of what they're willing to spend to get access to these devices.
Keep in mind, these organizations have built very sophisticated surveillance platforms, but these platforms are, for the most part, just software applications. They use a few interesting techniques to hide themselves, but the bulk of the systems aren't really anything special. But they need very special things in order to be delivered and installed - exploits that give these groups access to devices.
These kinds of exploit brokers sell exploits to a wide range of actors. Now, I don't know who Zerodium sells exploits to; and in fact, many of these organizations deliberately attempt to limit their sales to certain groups and countries (e.g. law enforcement or countries with strong human rights records). But not all do.
This makes the sudden increase in bounties (and honestly, this may not be the right word - this is really the retail price on the gray market for these exploits) especially interesting. This could indicate a shift in priority for malware and implant authors and a recognition of the fact that mobile operating systems are becoming more and more difficult and expensive to compromise.
We know that various governments, for example, have been very concerned about the wide use of end-to-end encryption in the mobile messaging market. Bruce Schneier and Orin Kerr pointed out a few months ago that one of the possible workarounds for this kind of encryption is attacking the messaging applications themselves, and this seems like a strong step in that direction. Furthermore, I don't believe that most criminal groups care much about communication surveillance, as ransomware and point-of-sale compromise is so lucrative today. Personally, this to me seems like a strong indicator that other most likely government-affiliated organizations are shifting focus to messaging platforms.