Black Hat Firm Offers $500,000 Bounty For Zero-Day iOS Exploit
Last week, Apple finally announced a bug bounty program for researchers and white hat hackers to find and get paid for reporting details of zero-day vulnerabilities in its software and devices.
The company offers the biggest payout of $200,000, which is 10 times the maximum reward that Google offers and double the highest bounty paid by Microsoft.
But now Apple is going to face competition from a blackhat company named, Exodus Intelligence.
Exodus Intelligence is offering more than double Apple’s maximum payout for zero-day vulnerabilities affecting the newest versions of iOS.
The company is willing to pay more than $500,000 for zero-day vulnerabilities and exploits affecting iOS 9.3 and above.
Although Exodus labeled itself as ‘Research Sponsorship Program,’ the company actually makes money by buying and selling zero-day vulnerabilities and exploits.
On Wednesday, Exodus launched its new bonus structure for the acquisition of details and exploits for zero-day vulnerabilities.
Exodus Intelligence’s hit-list also shows that the firm will pay:
- Up to $150,000 for a zero day in Google Chrome (which is 50% more than the Google’s highest payout)
- Up to $125,000 for a serious flaw in Microsoft’s Edge browser (which is $500 and $1,500 currently offered by Microsoft)
- Up to $80,000 for a serious flaw in Mozilla’s Firefox.
- Up to $75,000 reward for a local privilege escalation vulnerability in Windows 10
- Also, Smaller payouts of $60,000 for flaws in both Adobe Reader and Flash Player
The zero-day market has long been a lucrative business for private companies that regularly offer more payouts for vulnerabilities than big technology firms.
Last year, security firm Zerodium paid $1 Million to a group of hackers for an iPhone hack, though that figure was later lowered to “up to $500,000” for subsequent iOS exploits.
The market for zero-day and exploits has become strong because governments, law enforcements, criminals, and the private sector shop for zero-days for surveillance or research purposes.
The well-known example is the latest fight between Apple and the FBI, which came to end when theFBI reportedly paid over $1 Million for an iPhone exploit that helped the FBI to break into the iPhone of one of the San Bernardino shooters.
There’s one more thing Apple should be worried about: While Apple’s bug bounty program is invitation-only, at least for the time being, anyone can register on Exodus’s website and participate in the program to submit vulnerabilities.