Did I call Apple’s newly hatched bug bounty program “nicely lucrative,” with bounties that go up to $200,000?
Hahahaha!!! Silly me!
That’s chump change, says the exploit broker Exodus Intelligence, which is offering more than twice that: $500,000 for major exploits in iOS 9.3 and above.
You have to log in to see the details, but anybody can see the general prices on the company’s hit list, which also includes the likes of Google Chrome, Firefox, Microsoft EDGE, Windows 10 LPE, Adobe Reader and Adobe Flash.
Exodus isn’t the only private company offering to top big tech firms’ bounties for vulnerabilities.
Last year, a company called Zerodium offered up to $3,000,000 for iOS 9 jailbreak exploits.
In November, it said on Twitter that one winning team had accomplished one of those $1 million, remote browser-based iOS 9.1/9.2b jailbreaks.
Zerodium subsequently cut that bounty in half, down to $500,000, for new iOS zero-days.
Motherboard quoted a report that says that Exodus Intelligence’s customers pay annual subscription fees that start at $200,000 for access to its exploit database.
The report quoted Exodus Intelligence co-founder Aaaron Portnoy as saying that Exodus is interested in delivering the nastiest of the nasties:
We try to make them as nasty and invasive as possible. We tout what we deliver as indicative of or surpassing the current technical capabilities of people who are actually actively attacking others.
It sells to two types of buyers: “offensive and defensive.”
On the defense side, Exodus’s clients include security firms and antivirus vendors looking for information they can integrate into their products or keep their clients informed about.
Then there are the penetration tester clients: those who use Exodus’ zero-days to play the “red team” in simulated attacks on their own or other people’s networks. This group also includes government agencies.
One comment on “Exploit broker offers 2.5 times what Apple offers for serious iOS bugs”
Exodus sounds more like a gun running company that cops don’t touch, but should. The only reason to pay so much to prevent manufactures from getting the info is to use it illegally. So that leads to the question, if they are caught selling virtual weapons to criminals that commit crimes, will they get charged like scum that knowingly sells physical weapons to those that use them to commit crimes?