Not just insulting to the dev, but to users as well. Any app on my Mac being able to eavesdrop at all times when wearing AirPods is "worth" just $7k to Apple?
I'm reminded about the Apple Music passage in the After Steve book, where Apple tried to fuck over musicians just because they thought they could get away with it (zero royalty payments during Apple Music trials, so the trial was 100% subsidized by labels and artists), before walking it back. The executives are clearly far more concerned with bad PR, and not guided by values or principles.
Who would you sell it to and what would the buyer do with it? Outline the scenario you have in mind and we can try to sort out how to leverage this specific bug for $7000 worth of some kind of value.
Conceivably, a state actor could use this bug to eavesdrop on an espionage target, no? There is a market for zero-day exploits, where state espionage entities and criminal organizations both pay to learn about the existence of vulnerabilities like this—with prices in the hundreds of thousands to the millions of dollars.
Are you saying that this particular bug would not be worth more than $7000 in one of these markets, or are you questioning the very existence of these markets?
Conceivably, a state actor could use this bug to eavesdrop on an espionage target, no?
Well, let's try to conceive it. Our state level actor is now in possession of an exploit that lets them eavesdrop on a target when they text-dictate or activate Siri, while wearing particular Apple headphones. After getting the target to install a specific malicious app from the App Store. And to run it. And to give it Bluetooth permission. And to make sure to restart it whenever they reboot their phone or the phone kills it for any reason. The value of this as state-level actor surveillance malware feels a lot closer to $0 than $7000 to me but I'm happy to hear a different conception of how this might work.
You're not wrong from a technical perspective, but typically the purchaser would be a broker that re-sells these types of exploits to a state-level actor, or even to another broker. Said brokers are interested in acquiring exploits that check certain boxes for their gov buyers, and anything that checks the iOS box is always going to be a hot commodity.
Remember, at the end of the day the sale is to the government and they have big pockets and less common sense.
There are a number of actors who buy bugs like this - you largely don’t hear about them because once they became notorious it gets harder for them to do their jobs.
Google The NSO Group for an example, and that’s just private entities. nation state actors are a whole other market for such things.
