Blackhat
Firm Offers $500,000 for Zero-day iOS Exploit; Double Than Apple’s Highest
Bounty
Last week, Apple finally announced a bug bounty
program for researchers and white hat hackers to find and get paid for
reporting details of zero-day vulnerabilities in its software and devices.
The company offers the biggest payout of $200,000,
which is 10 times the maximum reward that Google offers and double the highest
bounty paid by Microsoft.
But now Apple is going to face competition from a
blackhat company named, Exodus Intelligence.
Exodus Intelligence is offering more than double
Apple's maximum payout for zero-day vulnerabilities affecting the newest
versions of iOS.
The company is willing to pay more than $500,000 for
zero-day vulnerabilities and exploits affecting iOS 9.3 and above.
Although Exodus labeled itself as ‘Research
Sponsorship Program,’ the company actually makes money by buying and selling
zero-day vulnerabilities and exploits.
On Wednesday, Exodus launched its new bonus
structure for the acquisition of details and exploits for zero-day
vulnerabilities.
Exodus
Intelligence's hit-list also shows that the firm will pay:
Up to
$150,000 for a zero day in Google Chrome (which is 50% more than the Google's
highest payout)
Up to
$125,000 for a serious flaw in Microsoft's Edge browser (which is $500 and
$1,500 currently offered by Microsoft)
Up to
$80,000 for a serious flaw in Mozilla's Firefox.
Up to
$75,000 reward for a local privilege escalation vulnerability in Windows 10
Also,
Smaller payouts of $60,000 for flaws in both Adobe Reader and Flash Player
The zero-day market has long been a lucrative
business for private companies that regularly offer more payouts for
vulnerabilities than big technology firms.
Last year, security firm Zerodium paid $1 Million to
a group of hackers for an iPhone hack, though that figure was later lowered to
"up to $500,000" for subsequent iOS exploits.
The market for zero-day and exploits has become
strong because governments, law enforcements, criminals, and the private sector
shop for zero-days for surveillance or research purposes.
The well-known example is the latest fight between
Apple and the FBI, which came to end when the FBI reportedly paid over $1
Million for an iPhone exploit that helped the FBI to break into the iPhone of
one of the San Bernardino shooters.
There's one more thing Apple should be worried
about: While Apple’s bug bounty program is invitation-only, at least for the
time being, anyone can register on Exodus’s website and participate in the
program to submit vulnerabilities.
Sources: THN