A company that acquires and sells zero-day exploits — flaws in software that are unknown to the affected developer — is now offering to pay researchers $20 million for hacking tools that would allow its customers to hack iPhones and Android devices.

On Wednesday, Operation Zero announced on its Telegram accounts and on its official account on X, formerly Twitter, that it was increasing payments for zero-days in those platforms from $200,000 to $20 million.

“By increasing the premium and providing competitive plans and bonuses for contract works, we encourage the developer teams to work with our platform,” the company wrote.

Operation Zero, which is based in Russia and launched in 2021, also added that “as always, the end user is a non-NATO country.” On its official website, the company says that “our clients are Russian private and government organizations only.”

When asked why they only sell to non-NATO countries, Operation Zero CEO Sergey Zelenyuk declined to say. “No reasons other than obvious ones,” he said.

Zelenyuk also said that the bounties Operation Zero offer right now may be temporary, and a reflection of a particular time in the market, and the difficulty of hacking iOS and Android.

“The price formation of specific items is heavily dependent on availability of the product on the zero-day market,” Zelenyuk said in an email. “Full chain exploits for mobile phones are the most expensive products right now and they’re used mostly by government actors. When an actor needs a product, sometimes they’re ready to pay as much as possible to possess it before it gets into the hands of other parties.”

For at least a decade, various companies around the world have offered bounties to security researchers willing to sell the bugs and hacking techniques to exploit those flaws. Unlike traditional bug bounty platforms like Hacker One or Bugcrowd, companies like Operation Zero don’t alert the vendors whose products are vulnerable, but instead sell them to government customers.

This is inherently a gray market, where prices fluctuate and the identity of the customers is often secret. But there are and have been public price lists such as the ones published by Operation Zero.

Zerodium, a company that was launched in 2015, offers up to $2,5 million for a chain of bugs that allows customers to hack an Android device with no interaction from the target, meaning the target doesn’t have to fall for a phishing link, for example. For the same type of chain, Zerodium offers up to $2 million, according to its website.

On modern mobile devices, thanks to improved security mitigations and defenses, hackers might need a series of zero-days to fully compromise and take control of a targeted device.

Crowdfense, a competitor based in the United Arab Emirates, offers up to $3 million for the same kind of chain of bugs on Android and iOS.

Referring to the bounties offered by Zerodium and Crowdfense, Zelenyuk said that he doesn’t believe they will ever drop so low.

“The Zerodium price sheet is outdated, but it doesn’t mean the company still buys for such low prices. They just don’t need to update them, the zero-day business works fine regardless of that,” said Zelenyuk.

The market for zero-days is largely unregulated. But in some countries, companies may have to obtain export licenses from the governments they operate from. This process essentially entails asking permission to sell to certain countries, which may be restricted. This has created a fractured market that is increasingly affected by politics. For example, a recently passed law in China mandates that security researchers alert the Chinese government of bugs before they alert the software makers. This law, according to experts, effectively means China is cornering the market for zero-days in an attempt to use them for intelligence purposes.

“This new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them,” Microsoft said in a report from last year.

Corrected an earlier version of this story to remove “tenfold” from the second paragraph, this was due to an editor’s error. ZW

Do you have more information about the market for zero-days? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase, and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.

Each year, TechCrunch selects the top 200 early-stage founders from across the globe to feature at TechCrunch Disrupt in San Francisco. And as part of our programming, we host master classes with industry experts and venture capitalists to provide tactical advice and insight to these founders.

Today, I’m excited to share the first of a four-part series with Canvas Ventures’ Mike Ghaffary. In this session, Ghaffary outlined the important components of startup defensibility, the key strategic advantage buckets, and what startups can do to stay competitive as they build and scale.

This private session took place in August, and we are sharing these now so all of you can also reap the benefits of Startup Battlefield.

Meta’s Quest Pro arrived to a mixed reaction when it launched late last year. The consensus – if one can be found – was that the headset presented some impressive technological leaps over its consumer predecessor (the Quest 2), but the $1,500 price tag was ultimately prohibitively expensive. If that sounds at all familiar, it’s because that’s more or less the same feedback we see every time an intriguing new headset his the market.

I had the opportunity to try the headset out back in January at CES, along with the latest from HTC, Magic Leap and Sony PlayStation. I probably shouldn’t have tried it on immediately after the Magic Leap 2 – which was the ultimate example of very good, but entirely too expensive XR technology.

The Quest Pro isn’t the Magic Leap, even though the two are effectively going after the same subset of users: enterprise clients. Meta and Magic Leap both – I think rightfully – determined that the real money is in selling headsets for training, prototyping and other business-minded functions. Many big corporations will spend $1,500 (or even $3,300) without batting an eye, if it means saving money in the long run.

But Meta is not quite ready to abandon the consumer market just yet – nor is it ready to put all its eggs in the AR basket. Sticking to mixed reality affords a fuller spectrum of applications, including more immersive VR experiences – including games. For the AR bit, opaque headset like the Quest Pro rely on passthrough technology, using on-board cameras to effectively reconstruct an image of the world around you.

It’s no surprise, then that the new Quest 3 maintains that technology. The big question is why the Quest Pro is sticking around. The obvious answer is that the Pro is less than a year old. The Quest 2, on the other hand, if a week or two short of its third birthday – in fact, it was released so long ago that it still carried the Oculus name.

Image Credits: Darrell Etherington

Ultimately, however, there is a lot on this new headset that makes the pro version seem almost redundant – or, at very least, very overpriced. While it’s true that new headset lacks some of that enterprise edition’s more premium features, the Pro’s starting price is around 3x that of the Quest 3. That’s not easy to justify. Of course, Meta’s not really thinking much about enterprise year.

Last week, we attended briefing in the Bay Area, featuring the new headset. The Meta Quest 3 inherets a lot of DNA from the Pro, including its mixed reality platform. Even if the company had already invested years and millions into the VR content side of things, maintaining both categories would be foundational, as full immersion lends itself better to the non-casual end of the gaming spectrum. With the exception of a relative handful of titles like Pokemon Go, the current generation of titles don’t require a player to be tied to a fixed real-world location.

According to Meta, the Quest 3’s full-color Passthrough tech has 10x as many pixels as its predecessor and 3x more than the significantly pricier Quest Pro. The visuals are powered by a pair of displays (one per eye) that measure in at 2064 x 2208 pixels (“4K+ Inifinite Display”). It’s the highest res display on any Meta/Oculus device. The 110-degree field of view is roughly 15% wider than the 2. 

Man wearing the Meta Quest 3 mixed reality headset, holding a controller, viewed from the side

The system is powered by the newly announced Qualcomm Snapdragon XR2 Gen 2 chip, which itself promises double the GPU processing power than the Gen 1. In keeping with that 50 upcoming titles are actually graphicly improved versions of older games. Or you can just go ahead and play any of the 500 or so Quest 2-compatible games/apps. There are also 50 entirely new titles coming up on the platform.

Our hands on experience with the handset involved some quick game demos, none of them nearly long enough to give you a full-on review. But that’s kind of the whole deal with these sorts of events. Among the titles were Ghostbusters: Rise of the Ghost Lord, Samba de Amiga and Stranger Things: Tender Claws. Of the three, Ghostbusters is the one that really stuck with me. I admit I’ve got a childhood soft spot for that one – but also, when I close my eyes and think about VR’s promise, it’s these sorts of immersive experiences.

The headset is fairly comfortable. Again, I admit that I didn’t have a ton of time with it – I’ll have to save the more comprehensive writeup for a review. But at 515 grams, it’s a good bit lighter than the notoriously heavy 722 gram Quest Pro. It’s also not a huge bump from the Quest 2’s 500 grams. It’s far easier to imagine working out in Quest 3, versus the professional model.

The visuals are a marked improvement over the last generation. They’re higher res and crisper, which goes a long way toward adding immersion to the whole experience. So, too, does the 40% louder speakers, pai4red with 3D spatial audio tech.

Image Credits: Darrell Etherington

The headset looks a good bit like the Quest 2, though there are now three slits in the front of the visor, positioning the cameras directly in front of the eye. The system also uses SLAM (simultaneous localization and mapping) to map the environment and determine the position of walls and other landmarks. This is more or less the same technology found in autonomous cars and robotic systems. This can help you avoid getting too close when in VR and tie graphics to real world object in AR. They do, however, drop the Pro’s face and eye tracking — so that’s a point in the pricier model’s favor.

The system ships with a pair of refined Touch Plus controllers, which drop their predecessor’s rings, while getting improved haptic feedback. “Feel more connected to every experience with ergonomic, ring-free Touch Plus controllers that let you experience realistic sensations and fine-tuned precision – as if you’re actually holding a bow, scrambling up skyscrapers or blasting through space,” Meta writes. “You can even explore without controllers, thanks to Direct Touch that follows your gestures, letting you use just your hands to find your way.”

Image Credits: Darrell Etherington

The controllers weigh in at 126 grams (including the AAA battery) — 38 grams lighter than the older Touch controllers. The headset should take around two hours to charge from 0-100%. 

Meta is promising roughly the same battery life for the headset as the Quest 2, which was rated at 2-3 hours. Here’s a more complete breakdown directly from the company,

• Overall: Up to 2.2 hours of usage on average
• Media: 2.9 hours of usage on average
•  Gaming: 2.4 hours of usage on average
• Social: 2.2 hours of usage on average
•  Productivity: 1.5 hours of usage on average

Pre-order starts today, shipping on 10/10. If you buy the 128GB model ($499) before 1/27/24, Meta will toss in a free company of Asgard’s Wrath 2. Pick up the 512GB model ($650), and you get the game, along with a six month Meta Quest+ subscription.