[Rubu]

I'm pretty skeptical as well. Can't say I know a lot about going rates for 0days like these, but something tells me 1M isn't even that much. If this "anonymous hacker collective" doesn't mind selling to the highest bidder, why not take it to the market themselves?

[benmmurphy]

There are two big issues I see:

1) trust problems between the seller and the buyer. either the seller needs to trust that the buyer will deliver a working exploit or the seller will give the chance for the buyer to evaluate and the seller then needs to trust that the buyer won't steal the vulnerability.

2) issues of access. sellers don't know how to get in touch with buyers.

Also, some buyers may want to purchase an exploit library instead of negotiating for each sale and middleman can offer value here.

Also it is possible zerodium offered over the market value (or over what the usually pay) in this situation in order to generate publicity. Other companies that buy vulnerabilities have offered larger one off bounties in the past.

[test1235]

Politics? Could be a stolen technique - maybe it's easier to hack the hackers and steal their hacks to sell than develop your own.

[chinathrow]

Possible...

https://twitter.com/i0n1c/status/658751231154913280

[celticninja]

the company that payd $1m for the exploit can make multiple sales of the same exploit to various governments and agencies. The hacker collective either dont have the connections or dont want to deal with the NSA, US Govt, GCHQ et al.

Would you want to end up on their list of interesting people?