Skip to main content

Black hat security company increases bounty to $1.5M as iOS 10 ‘much harder to exploit’

Black hat security company Zerodium – which seeks to find vulnerabilities in iOS and Android to sell to corporate and government clients – has increased its maximum bounty for zero-day iOS 10 exploits to $1.5M. It previously offered $1M for iOS 9 vulnerabilities.

A zero-day vulnerability is one not yet known to the developer, so companies have zero days to prepare for exploits. The company’s founder told Arstechnica that the increased reward reflected the improved security in the latest version of iOS. He also explained why the company pays far more for iOS vulnerabilities than Android ones …

“Prices are directly linked to the difficulty of making a full chain of exploits, and we know that iOS 10 and Android 7 are both much harder to exploit than their previous versions,” he told Ars. Asked why a string of iOS exploits commanded 7.5 times the price of a comparable one for Android he said: “That means that iOS 10 chain exploits are either 7.5 x harder than Android or the demand for iOS exploits is 7.5 x higher. The reality is a mix of both.”

Although it would seem security researchers have far greater incentive to sell exploits to companies like Zerodium rather than report them to Apple, which offers a maximum payout of $200k, Ars notes that the reality is slightly different.

To qualify for a Zerodium bounty, the chain must generally work almost flawlessly to surreptitiously give an attacker complete control over the targeted device. In the parlance of hackers, that’s called a weaponized exploit. It’s not enough that a researcher provides only a rough outline of the vulnerabilities with a less-than-perfect proof-of-concept exploit. The bounties paid by Apple and Google, by contrast, are much less demanding, and as a result, they generally require less work.

Many security researchers would never sell to black hat companies for ethical reasons. But for any who may be tempted, we’ve also noted in the past that black hat companies headline their offers with the maximum possible payout while the range starts at just a few thousand dollars.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear