A previously undisclosed (aka zero-day) exploit can fetch enough money to buy its finder a house. Zerodium, a firm that buys security exploits, has announced that it’s paying $1.5 million for one that can be used to take over iPhones and iPads. That’s thrice what the company used to offer, though it did up the bounty to $1 million last year for a limited time. While that very much smelled like PR stunt, Zerodium did end up having to pay one group the full amount. Unlike that time, this price bump is permanent. Anyone who’s OK with the fact that Zerodium will sell their find to the government and to various corporations can cash in anytime.
Apple launched its own bounty program back in August, promising to reward researchers with up to $200,000 in cash. That’s far from the $1.5 million Zerodium offers, but as Ars Technica notes, the firm has more demands than a corporation-run program. It will only pay that much for an exploit that’s guaranteed to give attackers complete control over the device they’re targeting. The programs are also after different types of vulnerabilities.
As for why Zerodium decided to triple its bounty, company founder Chaouki Bekrar told Ars that it’s merely a response to how secure the latest versions of mobile platforms like iOS and Android are. And the reward for iOS exploits is a whole lot more than the $200,000 it’s offering for Android hacks either because it’s harder to crack iOS 10 than Android 7 or because the demand is higher. “The reality is a mix of both,” he said.
As you can imagine, companies like Zerodium are highly controversial. When it announced its million-dollar reward last year, Lance Cottrell, chief scientist of security firm Ntrepid, told us that whatever it snaps up is “almost certainly going to be used against people’s best interests.” The government could use it to monitor people other than terrorists and criminals. Companies could use it to keep an eye on their competitors. Bekrar argued, however, that the government and law enforcement agencies such as the FBI need these exploits for the sake of national security.
For the record, @Zerodium iOS bounty does NOT compete with @Apple as we focus on browsers+kernel while they focus on secure boot and enclave
— Chaouki Bekrar (@cBekrar) September 29, 2016