Both of these companies appear to be hoarding iOS vulns of some sort in order to use them as part of their iPhone cracking services which are being provided to law enforcement and governments.
As I’ve mentioned in my podcast, I don’t think this is the correct approach and will ultimately make iPhones a lot more vulnerable to all parties who have an interest in what’s on our phones.
Eventually the vulnerabilities and probably the exploits will leak, they always do. And something that Apple could have fixed 6 months or a year ago is now available to all manner of attackers.
Hopefully Apple can do something about it. Maybe it’s time for a law that makes it a crime if you don’t disclose vulnerabilities to companies instead of putting laws in place that discourage and make security researchers hesitant to disclose what they find to companies.
And something else that occurred to me that’s unrelated to these two companies is the Pwn2Own annual contest which would cause people to sit on vulnerabilities in the hopes of making some money off them during the contest. Not sure if that’s the right way to go either.