Black Hat Firm Offers $500,000 Bounty For Zero-Day iOS Exploit

Last week, Apple finally announced a bug bounty program for researchers and white hat hackers to find and get paid for reporting details of zero-day vulnerabilities in its software and devices.

The company offers the biggest payout of $200,000, which is 10 times the maximum reward that Google offers and double the highest bounty paid by Microsoft.

But now Apple is going to face competition from a blackhat company named, Exodus Intelligence.

Exodus Intelligence is offering more than double Apple’s maximum payout for zero-day vulnerabilities affecting the newest versions of iOS.

The company is willing to pay more than $500,000 for zero-day vulnerabilities and exploits affecting iOS 9.3 and above.

Although Exodus labeled itself as ‘Research Sponsorship Program,’ the company actually makes money by buying and selling zero-day vulnerabilities and exploits.

On Wednesday, Exodus launched its new bonus structure for the acquisition of details and exploits for zero-day vulnerabilities.

Zero-Day Hit-list:

Exodus Intelligence’s hit-list also shows that the firm will pay:

  • Up to $150,000 for a zero day in Google Chrome (which is 50% more than the Google’s highest payout)
  • Up to $125,000 for a serious flaw in Microsoft’s Edge browser (which is $500 and $1,500 currently offered by Microsoft)
  • Up to $80,000 for a serious flaw in Mozilla’s Firefox.
  • Up to $75,000 reward for a local privilege escalation vulnerability in Windows 10
  • Also, Smaller payouts of $60,000 for flaws in both Adobe Reader and Flash Player

The zero-day market has long been a lucrative business for private companies that regularly offer more payouts for vulnerabilities than big technology firms.

Last year, security firm Zerodium paid $1 Million to a group of hackers for an iPhone hack, though that figure was later lowered to “up to $500,000” for subsequent iOS exploits.

The market for zero-day and exploits has become strong because governments, law enforcements, criminals, and the private sector shop for zero-days for surveillance or research purposes.

The well-known example is the latest fight between Apple and the FBI, which came to end when theFBI reportedly paid over $1 Million for an iPhone exploit that helped the FBI to break into the iPhone of one of the San Bernardino shooters.

There’s one more thing Apple should be worried about: While Apple’s bug bounty program is invitation-only, at least for the time being, anyone can register on Exodus’s website and participate in the program to submit vulnerabilities.


Via Mohit Kumar • Hacker News

Comments

comments