Every profession or skill can be exploited for good or for evil. The same thing with hackers, and before you think that a hacker is a bad person, I want to remind you that there is a difference between a hacker and a hacker As we have already talked before And that the cracker is the one who steals programs, websites, and so on, but the hacker is a professional in discovering gaps in computer systems. Originally, this profession is used in securing systems against crackers. For example, if you own a company and you want to make sure that your system is protecting your data is safe against hacking, you use a hacker to reveal the system vulnerabilities for you, and then you address them. And many large companies such as Google and Facebook offer large sums to hackers if they discover flaws in their systems and inform them of them.

Now that we know that the hacker is just a professional developer using his skill for the benefit of others, then how can this knowledge be used for evil? Well, let me tell you the other bad side that some professional hackers may take, which may generate tens of thousands of dollars a month for them, and the return is "selling security holes to intelligence agencies."

The news may be shocking to some, but this is the truth, which I presented in detail Forbes website The famous. Recently, news spread that Google had paid $ 60 to two programmers who were able to find serious security flaws in the Google Chrome browser, and Google continuously provides updates to its famous browser and publishes a list of the amounts paid to people who have been able to find security holes in the browser. These amounts are paid as a reward for them to help them find these loopholes and then close them, but the usual amounts to see are 1000-2000 dollars, but the amounts reach 60 thousand dollars for two people, or 120 dollars for two gaps, this shows the seriousness of these loopholes and you can open the Google Chrome versions page and see the rewards paid For developers Via this link.

Getting a reward for finding a vulnerability is normal and welcome, no matter how large the amount is, but it does not stop at this point. Chaouki Bekrar, the owner of a company working in the field of security research, mentions that his company does not inform Google about the methods followed to find security holes, not even for the amount of 60 thousand Dollar He added: “We will not share these secrets with Google, not even the amount of a million dollars, and we will not tell them about ways to help them close security holes. We want to keep this matter only for our customers.” This means that they will inform other people about the security holes and ways to prevent them, but they will not tell Google itself. This means that these customers do not want Google to close these loopholes, otherwise they would allow the vulnerability to reach them. Do you know who these agents are? “They are the government security agencies.”

According to the report, hackers can earn an average of 2000-3000 dollars from the security vulnerability that they discover in an operating system, company website, or even a famous program, by informing the program owner of the existence of this vulnerability and obtaining the traditional reward. But he can win 10 times and maybe 100 times this amount from the police, security services, or even spies and enemies of the owner of this project in exchange for forcing them with this loophole and keeping it a secret from the owner of the program in order not to close it. One of the organizations that specializes in this field, called Vupen, said that its customers pay $ 100 annually to subscribe to a confidential vulnerability knowledge service. In other words, the company searches for gaps and makes packages "such as phone packages" and various parties participate in them with huge sums to obtain the loopholes secretly and without announcing them, and they do not ask from Vupen Corporation You tell them how to get the vulnerabilities, not even who else bought them, and all they want is to get the vulnerability and not publish it. As for what programs they find security flaws in and sell them to their customers, they mentioned, for example, Microsoft Word, Adobe Reader, Google Android, and finally the famous Apple iOS system, and the latter is the most expensive in price because it is the most prevalent and the most difficult to penetrate. Here is a list of vulnerability pricing, according to each operating system and application.

Of course, there are many factors that control the price, including the spread of the operating system, it means that the target group for the vulnerability is a large category, and also the novelty of the system, so the penetration of a modern system costs more because the vulnerabilities are still new and the company selling it will not imagine that it breaks so quickly, and we see in the list that the price of a system vulnerability Operating the Mac (which I am working on now) is worth 20-50 thousand dollars compared to 60-120 for the Windows operating system, which seems illogical to some because everyone thinks that the Mac system is the most secure, so its vulnerabilities will be the most expensive, but there is another factor which is that if you know For a strong Windows vulnerability, you target more than a billion devices around the world, and this number is twice as large as Mac users. But despite these huge sums that they get in exchange for the vulnerabilities, the Vupen Foundation does not sell the vulnerabilities exclusively to one buyer, but rather sells them to more than one buyer, and none of them will know that there are those who bought the same vulnerability like him and may sell it to more than one government agency and depends on that each buyer will not tell anyone He knows this loophole.

The Vupen Team at the popular Pwn2Own Hacker Conference

But there are some hackers who prefer to identify the buyers of the vulnerabilities of their own and to be major institutions or alliances such as NATO and its members and do not sell the vulnerabilities to any country outside NATO and they said that they check purchase orders and seek to prevent the information and loopholes they obtain from reaching non-democratic regimes because Dictatorial regimes will use loopholes against their own people, while democratic regimes will use them to protect their people from terrorists and others. But the problem, according to their saying, is that they do not guarantee that the loophole remains in the hands of the buyer only because if you sell a weapon to someone, you do not guarantee that this person will not sell the weapon to a third party or that this good and reliable buyer is just a middleman as happened according to their saying that they sold a security vulnerability to someone The Arab countries were surprised then that it is being used to monitor political activists by the Syrian regime. The report says that Vupen does not ask the user what he will do with this vulnerability or, more precisely, he does not care to know because all that matters to him is to get the agreed amount in his account only, but whether the vulnerability is improved or misused, this is not important to him.

The question that arises is how these loopholes are sold? You may be a professional in the field of computers and discover a vulnerability, but you are not a professional in marketing and estimating its price, nor can you even deal with the security services such as intelligence and others to sell the vulnerabilities to them. You are just a professional programmer and you do not know anything but programming. Here comes the role of mediators, including Grugq's, which is a kinetic name of course. He lives in the Thai capital, Bangkok, and works as a mediator. % Of these deals are commission. Do not you think that this percentage is small. According to him, last year he got more than a million dollars from deals, and this makes you imagine the size of the deals that he does? And his fame has spread around the world, which makes him now not dealing in simple loopholes and does not accept a deal if the target price of the loophole does not consist of at least 15 numbers, and it was mentioned that last December he sold a loophole to a government agency at a price of a quarter of a million dollars. If you think that this work is secret and this person does not know his truth, then this is not true, he works in public and this is his picture in a restaurant he works.

When asked what are the most profitable loopholes for him and the most expensive, he replied, "Of course iOS, even after the spread of Android, but Android is easy to penetrate, as for iOS requires breaching Apple's security barriers and its complex system, so it is the most difficult and expensive." Jailbreakme Which was just a web page that made a withdrawal and the jailbreak happened to him that there are organizations willing to pay more than a quarter of a million dollars in exchange for becoming exclusive to them because it will allow them to penetrate any device easily through the Safari browser. As for his most important client, he said that it is the US government, which, according to the statement, is the largest buyer of loopholes and the most high-paying party, and he gets 80% of his income from them. There are also other government agencies, including China, in which there are a large number of developers working to find the vulnerabilities and sell them to the Chinese government only. But the situation differs in the Middle East, where the market is considered weak for many reasons, including the widespread lack of widespread reliance on technology by governments and people in all directions of their lives.

And sometimes the hackers seek to publish videos to identify them and also be propaganda and prove power. In May 2011, Vupen published a video of a device hack with exploits in Chrome, but they did not give any information to Google about this vulnerability and refused to tell it how to close it. Google announced that they used a vulnerability in the flash in the browser to penetrate it, not the browser itself, and they issued an update to close this vulnerability, but Vupen responded to Google by saying that it deceives users and the vulnerability still exists and they also refused to help it, which prompted Google officials to describe the hackers as opportunistic and immoral and leave millions of users They are at risk only to prove strength.


  1. Some hackers find vulnerabilities and sell them to official companies to close them and get rewards. This is good and beneficial for the user and the companies.
  2. Some hackers sell these vulnerabilities to third parties who do not want these vulnerabilities to be closed so that they can use them for espionage. This is bad and it hurts everyone.
  3. Hackers do not guarantee how a buyer will use this vulnerability.
  4. There are some people who work as middlemen and get huge sums for it.
  5. The most lucrative vulnerabilities are iOS vulnerabilities because they are the most difficult.
  6. The hacker may discover system vulnerabilities such as iOS and do not use them in the jailbreak, but sell them to government agencies to penetrate users' devices and do not advertise them so that Apple does not close them.
 Just as there is a war on the ground with conventional weapons, there is also an electronic war ... and the countries are equipping their equipment, even if this war breaks out, it took out what was in its era and took control of the enemy's technology.
What do you think? Have you been anticipating this black market and loophole trading and are you worried about this?


Related articles