[rotrot]

.

[Veserv]

Thank you for the reply. I was actually only expecting an answer to 1 or 2 of them rather than all of them. 2 and 3 were more questions on the business side of (expenditure on staff finding exploits / expected number to find per year) rather than raw expenses and 4 was more a monetary return rather than a ROI, but thank you for all the answers nonetheless.

Just for clarification, am I correctly understanding your answer to 1b as the price of a zero-click iOS exploit being ~$4M in contrast to my stated $1-2M? If so, I will not openly contest that claim here and thank you for your time. Anybody reading to this point can substitute my earlier claims for $4M if so.

[jancsika]

I think it's funny that you were able to exploit someone working in the industry into giving up information they shouldn't have merely by stating your speculation as fact.

Who needs 0-days when you have Cunningham's Law[1]?

I'm just trolling, but it apparently did happen here. :)

1: https://meta.wikimedia.org/wiki/Cunningham%27s_Law

[lossolo]

Anyone has copy of the answers? Seems that it was interesting but was edited.

[Veserv]

From memory it was approximately:

1a. $2M for something. Maybe a messenger/important app?

1b. $3.5-4M for zero click in default install (sandbox escape + local privilege escalation)

2. $20M for high level individual talent for a firm like NSO with a $250M revenue/$150M expenses.

3. $400k for a senior engineer. $250k-500k spot bonus for a person in the team who finds a zero-click. Some other words.

4. 500% to 1000%. Some other words.

5. 0-2 zero-click on-hand or maybe per year. 1-3 lesser ones in messaging/browsers/etc I think? Some other words.

6. The answer to 5 is sparse enough that statistics do not really apply.

7. 7-15 months.