Apple recently announce it will pay up to $200,000 to security researchers who report “zero day” security vulnerabilities involving certain Apple software. That appears to have kicked off a bidding war, as Blackhat hacker firm Exodus Intelligence has announced it will pay up to $500,000 for those same vulnerabilities.
While Exodus uses the innocuous-sounding label ‘Research Sponsorship Program,’ the firm makes its money by buying details of vulnerabilities and then making them available to those wishing to exploit them to hack devices …
Exodus has posted a “hit-list” showing it will pay up to $500K for zero-day vulnerabilities in iOS 9.3 and higher, as well as listing substantially lower bounties for flaws in such apps as Google Chrome, Firefox, and Adobe Flash. Bounties range from a low of $5,000, to the previously mentioned $500,000.
Last week, head of Apple security, Ivan Krstic, announced the company would pay bounties to invited researchers who find and report vulnerabilities in certain Apple software.
The maximum payments are:
- Secure boot firmware: $200,000
- Extraction of confidential material protected by the Secure Enclave Processor: $100,000
- Execution of arbitrary code w/kernel privs: $50,000
- Unauthorized access to iCloud account data on Apple Servers: $50,000
- Access from a sandboxed process to user data outside of that sandbox: $25,000
Knowledge of zero-day vulnerabilities is valuable to hackers, as the flaws are ones that the software creator is unaware of, meaning the company has “zero days” to prepare for an attack on the flaw. Such flaw have recently been in the news due to the FBI’s likely use of such a flaw to break into an iPhone 5c used by one of the shooters in the San Bernardino terrorist attack late last year.