A new startup is offering up to $3 million dollars for tools to hack into Android and iOS devices, the highest public price offered for such tools.

The startup is called Crowdfense and is based in the United Arab Emirates. In an unusual move in the normally secretive industry of so-called zero-days, Crowdfense sent out a press release to reporters on Tuesday, advertising what it calls a bug bounty.

“Zero-days” or zero-day exploits are hacking tools that leverage bugs or vulnerabilities in computer systems that are unknown to the system’s developers. Over the years, improvements in the security of popular computers and cellphones have created a secretive and controversial industry dedicated to providing these tools to government agencies that need help hacking targets.

Crowdfense’s director Andrea Zapparoli Manzoni told me that he and his company are trying to join that market, purchasing zero-days from independent researchers and then selling them to law enforcement and intelligence agencies.

“When I think about government agencies I don’t think about the military part, I think about the civilian part, that works against crime, terrorism, and stuff like that,” Zapparoli told me in a phone interview. “We only focus on tools aimed at doing activities of law enforcement or intelligence, not aimed at destroying or deteriorating the functionality and effectiveness of the target systems—but only aimed at collecting intelligence.”

The company is only looking for zero-day exploits for Windows, MacOS, iOS, and Android. It’s not interested in exploits for Internet of Things devices, critical infrastructure, telecom companies, or popular sites such as Facebook, according to Zapparoli.

Crowdfense is trying to do things in different ways, “with the maximum possible transparency,” he said. Zapparoli said he doesn’t want to repeat the same mistakes that other companies in this industry did in the past, and specifically mentioned Hacking Team, an Italian vendor of spyware that’s infamous for selling hacking and surveillance tools to oppressive governments.

“Vetting customers is the most delicate part of our whole activity,” Zapparoli said.

For now, however Zapparoli didn’t specify exactly how the company is doing the vetting or who it’s working with. He said Crowdfense is willing to sell only to “very few” customers if that’s what they need to do to make sure their hacking tools don’t end in the wrong hands. He said that in the future it might publish best practices and standards on how it vets customers but for now, it will “self-regulate.”

The local government of the UAE has authorized Crowdfense to open shop in Dubai, Zapparoli said.

“When we have to sell outside of the UAE, normally there are no objections,” Zapparoli said.

https://motherboard.vice.com/en_us/article/pax987/crowdfense-offers-3-million-for-iphone-android-hacks