Various intelligence agencies are willing to pay 2-3M for a working exploit for iphone or android. I think that they would be fine with paying 50M for a userbase that has a high population of devs, admins, etc. Being able to backdoor someone like this in the right organization down the line is probably worth 50M.

Depends on the target and what you can get. Think about Bartender, an app requiring an insanely high level of trust and permissions, which was quietly sold.

If you know of someone specific you want to target who uses it, the investment could pay off.

For example, we know from your blog posts that you use LittleSnitch. Someone who wanted to target you might do a lot to spy on you by buying LittleSnitch, probably.

Think of your own apps, too. I don’t think you’d do the same that Ben Surtees did and sell everything in secret, but then again I don’t personally know you. You may have a price that I’m not aware of. For that reason alone, even as I trust the current code is not nefarious, I can never give StopTheMadness access to every website and can only use it selectively, which is inconvenient.

Yes, the number is silly. But that makes the danger even more relevant. They could really get it for a couple million to a couple of people, and double or triple that payment (or stretch it out over a long period) to make sure everybody knows to shut up about it.

(Taking this reply as an excuse to write a concurring rant...)

Also, once you've compromised somebody's integrity and got them on the payroll, why not use them for other things? They can join other projects, they can sit on foundation boards, they can become tech media personalities, etc., etc....

There's nothing tinfoil about this. It's cheap and easy. You could subvert every open source project in the world for less than the cost of one fancy plane, or a few fancy missiles. The CIA went in on a crypto company, got it to weaken everyone's crypto, and likely killed the son who inherited it from the previous owner. "Nation-state buying Little Snitch" is not some crazy fantasy, it's a mundane scenario (I'm sounding like LLM today, I think.) Even though OpenSnitch could be compromised even more cheaply, they show all their code.

Also, aggressors don't just use carrots, they use sticks. The Altman sister stuff for example (true or not, works even better if it's true) certainly seems like a stick. Top of the world, then suddenly a jury (easily subverted by a state) puts you in prison or takes away control of your company, and now you're killed (or "kill yourself") in prison or otherwise. Now your widower and your sister own the company, and they say yes to everything. If my multi-billionaire brother molested me, you'd never hear about it because he would have trivially given me enough money to forget about it and him. I wouldn't be filing any lawsuit. Makes me suspect that he's being resistant to something.