Searching for the holes that allow a hacker to break into software code has gone from being a quirky activity to a legitimate and lucrative business.
Asked how much the FBI paid for the hacking job into the iPhone 5c used by an attacker in the mass shooting in San Bernardino, Calif., FBI Director James B. Comey Jr. first said, "A lot."
More specifically, he said the FBI paid "more than I will make in the remainder of this job, which is seven years and four months, for sure." His annual salary is around $185,100, which suggests the bounty is at least $1.35 million, Eric Lichtblau and Katie Benner reported for The New York Times.
The revelation follows weeks of controversy after the Justice Department tried to force Apple to design a security override, as the tech company's resistance launched a debate over cybersecurity.
Some have suggested $1.35 million is a low estimate, but either way, the FBI paid a high price in a field that is growing larger and more expensive as security vulnerabilities become more valuable to criminals and law enforcement alike.
US firm Zerodium offered bounties of $1 million each for any "working exploit" providing a yet-undiscovered pathway into Apple's latest mobile operating system, The Christian Science Monitor reported.
A high price tag for hacking jobs such as this is not uncommon. Scrupulous hackers who tell companies where their security vulnerabilities are so they can fix them are becoming established in the field of cybersecurity, Paul Roberts wrote for the Monitor:
In the past decade, a growing, global marketplace for software vulnerabilities has transformed a talent for sniffing out security holes in software from a resume bullet point to something akin to Stephen Curry's jump shot or Novak Djokovic's serve: a rare skill that commands a high price. But with everything from software publishers to spy agencies and shadowy cyberarms dealers competing for prized vulnerabilities, experts warn that there are both risks and rewards for both society and the economy in what is quickly becoming a Gold Rush for the Digital Age.
The market is becoming more complex as the monetary opportunities increase, with companies such as HackerOne and Bug Bounty HQ providing a platform to connect talented hackers with companies wanting to test their security.
"It's like finding a gold nugget," Mark Litchfield, a security researcher who once netted $63,000 from the legitimate bug-finding program of a single company, told the Monitor. "Sometimes it's like finding my own gold mine."
The prices are high because talented hackers have so many options for buyers. Some talented bug finders are compelled by conscience to report security breaches only to the companies that can fix them, but others must be motivated by a lucrative bounty. Companies that ask hackers to report their findings tend to pay less than criminals or intelligence officials (Microsoft's fee of $100,000, for example, is considered high).
This means the FBI's undisclosed payout may have been the most expensive publicized hack in history, Reuters reported. It is easy to see why asking Apple to simply override its own security, had the tech company been willing, would have been much cheaper.