Two aspects. The first is client vetting - such organizations (I have in mind a particular organization that's not NSO but also has products which rely on RCEs) simply don't sell at all to random companies - I'm not sure if they sell to companies at all as all the published cases have been from the government sector, but in any case they already know all the potential clients they might have, it's not like there are many of them in the world. And it's not trivial for Apple to falsely pose as, for example, the intelligence agency of Bolivia in a way that's not easily discovered. Also, in the specific case of NSO, every new client will likely require approval from Israel government for the 'arms' export license, and is likely to be vetted by Israeli intelligence agencies which are considered to be quite competent.
The second aspect is that such organizations generally are very wary of actually giving access to RCEs themselves - in many cases they will sell access to the use of RCEs, where the buyer won't get the ability to get the exploit but rather the seller will run the exploit themselves. Of course there are exceptions, but any less trustworthy clients (e.g. if selling to some USA local law enforcement which realistically aren't as secure as FBI) simply won't get the opportunity to compromise the 'goose that lays golden eggs'.
re your second point: you don’t need access to the RCE itself, you could say I want to hack XXX phone number where XXX is a honeypot and try to reverse engineer it from there.
There are others who would know more about this than I do, but a few reasons come to mind:
1. NSO almost certainly has more than one exploit chain at a time. While this would burn one of their exploits, it wouldn’t put them out of business or eliminate the ability for them to get RCE on phones in general.
2. Vendors already have bug bounty programs with established award ceilings. These exploits are almost always far more valuable than the vendor is willing to pay via their bug bounty program. Why would the vendor pay more in this instance?
3. Given (1), how long would this go on for? NSO—who is aware of how many exploit chains they have—likely wouldn’t sell all of their exploits to a single buyer and risk them all getting burned.
The models are different. Silk Road has millions of sellers and millions of buyers; Pegasus has a very small set of both, who would be more difficult to connect with. It probably won’t kill it, but will create a harder to leverage profit model
Do you think the phone vendors have better intelligence apparatus' than NSO, or that NSO doesn't vet the background of who they sell to, given it requires cabinet approval?
