UAE Startup Offers Up to $20M for Smartphone Zero-Days

New UAE startup advertises up to $20M for smartphone zero-days

Advanced Security Solutions, a newly launched firm based in the United Arab Emirates, is offering some of the biggest public bounties in the zero-day market — up to $20 million for hacking tools that can compromise a smartphone using a text message.

• $20M for any mobile operating system exploit
• $15M for iPhone and $15M for Android SMS-style zero-days
• $10M for Windows, $5M for Chrome, $1M for Safari and Edge, plus payments for messaging apps

The company’s site claims it serves more than 25 governments and intelligence agencies and is staffed by personnel from elite intelligence and private military backgrounds. But who funds, owns, or runs Advanced Security Solutions — and who its actual customers are — remains unclear.

Security researchers say the advertised prices are broadly in line with the wider market, which has been escalating for years as demand rises and modern platforms get harder to exploit. One researcher told TechCrunch the $20M figure is "low depending on how unscrupulous you are."

This surge mirrors earlier shifts: Zerodium first publicized million-dollar bounties in 2015, Crowdfense raised payouts in later years, and other brokers have pushed prices higher for remote-phone exploits and messaging-app vulnerabilities.

Some brokers also sell exploits tailored to apps like WhatsApp, Signal, and Telegram. Advanced Security Solutions lists multi-million-dollar bounties for those targets too, reflecting a market that prizes code able to bypass modern protections.

The opacity around buyers and sellers raises serious ethical and legal questions. When high-value exploits effectively become digital skeleton keys, they can be used for counterterrorism and narcotics control — as the site claims — but also for surveillance, human-rights abuses, or geopolitical coercion.

Researchers warn against selling to anonymous intermediaries. Legal constraints in many countries also complicate cross-border sales of offensive tools; some exploit brokers restrict buyers accordingly, while others do not disclose limits.

For governments and large organizations, the arrival of another high-paying buyer shifts the risk calculus. Agencies must balance operational needs against reputational, legal, and human-rights risks. For vendors and platform owners it means continued urgency to harden security and patch flaws quickly.

What should organizations do now? Practical steps include revisiting threat models, enforcing patching programs, validating third-party vendor practices, and investing in detection that spots exploitation attempts before data or systems are exfiltrated.

QuarkyByte’s approach is to combine intelligence-driven risk assessments with practical controls: model likely attacker behaviors, simulate realistic exploit chains, and conduct vendor due diligence focused on provenance and use restrictions. That helps legal teams, CISOs, and policy leads make informed choices under uncertainty.

The emergence of Advanced Security Solutions is a reminder that as exploit markets mature, so do the stakes. Transparency, oversight, and technical resilience will determine whether high-priced zero-days are narrowly contained tools or instruments that widen the digital gap between states and citizens.