There are several factors that may affect per-app supply and demand.
- How expensive is it to discover a new vulnerability in a given app? (This may depend on code base maturity but also on choice of programming language, its inherent memory safety, and supply chain.)
- What privileges does a typical installation of the app grant once RCE is achieved?
- How hard is it to write a working exploit for a newly-discovered vulnerability, taking into account the security architecture that protects the app?
- Given a zero-day exploit, how many times will you have the opportunity to use it? How quickly will other parties discover it, is the vendor willing to provide patches, how long it is going to take, how much do the updates cost, and how difficult is it to upgrade the software in the field?
- Apps and computers tend to come in packs, and attackers love to move laterally. What opportunities would an attacker gain from lateral movement after gaining persistence in a given system?
- Market share and adoption may be skewed, as attackers may be interested in specific targets such as journalists or politicians, who may form a specific demographic with particular adoption rates, which can differ from those of the general population.
- How expensive is it to discover a new vulnerability in a given app? (This may depend on code base maturity but also on choice of programming language, its inherent memory safety, and supply chain.)
- What privileges does a typical installation of the app grant once RCE is achieved?
- How hard is it to write a working exploit for a newly-discovered vulnerability, taking into account the security architecture that protects the app?
- Given a zero-day exploit, how many times will you have the opportunity to use it? How quickly will other parties discover it, is the vendor willing to provide patches, how long it is going to take, how much do the updates cost, and how difficult is it to upgrade the software in the field?
- Apps and computers tend to come in packs, and attackers love to move laterally. What opportunities would an attacker gain from lateral movement after gaining persistence in a given system?
- Market share and adoption may be skewed, as attackers may be interested in specific targets such as journalists or politicians, who may form a specific demographic with particular adoption rates, which can differ from those of the general population.