[Veserv]

Okay. Since you say I am underestimating according to your experience can you supply a, in your opinion, 68% confidence interval estimate for the cost or effort required to purchase or develop a zero click iOS exploit (i.e. give a general range for the median case).

Reasonable forms for a sufficiently quantified answer include, but are not limited to:

1. A numerical value to purchase from a broker.

2. A numerical value for the budget a competent organization (such as NSO) might allocate to a team to restock their hoard at a profitable return.

3. The number, skill, likely salary, and time/person-months a competent organization might allocate to restock their hoard at a profitable return.

4. The estimated return on a vulnerability. Giving an estimate of the expenditure bound to maintain profitability.

5. The estimated number of vulnerabilities NSO is finding per year given their budget.

6. The estimated number of vulnerabilities NSO has currently hoarded given their budget. Giving an estimate of the embodied expenditures to date.

7. The estimated amount of time for a NSO vulnerability to be burned allowing the estimation of required replenishment rate.

This is not an exhaustive list of reasonable quantifications, but I think at least something along these lines should provide an adequate quantification to demonstrate the degree to which I am underestimating the state of affairs.

[rotrot]

.

[Veserv]

Thank you for the reply. I was actually only expecting an answer to 1 or 2 of them rather than all of them. 2 and 3 were more questions on the business side of (expenditure on staff finding exploits / expected number to find per year) rather than raw expenses and 4 was more a monetary return rather than a ROI, but thank you for all the answers nonetheless.

Just for clarification, am I correctly understanding your answer to 1b as the price of a zero-click iOS exploit being ~$4M in contrast to my stated $1-2M? If so, I will not openly contest that claim here and thank you for your time. Anybody reading to this point can substitute my earlier claims for $4M if so.

[jancsika]

I think it's funny that you were able to exploit someone working in the industry into giving up information they shouldn't have merely by stating your speculation as fact.

Who needs 0-days when you have Cunningham's Law[1]?

I'm just trolling, but it apparently did happen here. :)

1: https://meta.wikimedia.org/wiki/Cunningham%27s_Law

[lossolo]

Anyone has copy of the answers? Seems that it was interesting but was edited.

[Veserv]

From memory it was approximately:

1a. $2M for something. Maybe a messenger/important app?

1b. $3.5-4M for zero click in default install (sandbox escape + local privilege escalation)

2. $20M for high level individual talent for a firm like NSO with a $250M revenue/$150M expenses.

3. $400k for a senior engineer. $250k-500k spot bonus for a person in the team who finds a zero-click. Some other words.

4. 500% to 1000%. Some other words.

5. 0-2 zero-click on-hand or maybe per year. 1-3 lesser ones in messaging/browsers/etc I think? Some other words.

6. The answer to 5 is sparse enough that statistics do not really apply.

7. 7-15 months.