It was only last week that Apple finally launched a bug bounty program, but it did not take long for exploit peddlers to outbid the tech giant.
Apple is offering security researchers up to $200,000 if they privately disclose serious, critical holes in software rather than take such vulnerabilities and exploits elsewhere. However, Exodus Intelligence upped the game on Tuesday by raising Apple’s bid, luring researchers with rewards of up to half a million for valid Apple software bugs.
The exploit trader has launched a “hit list” of the hottest, most wanted exploits for software including Apple iOS, Google Chrome, Microsoft Edge and Adobe Flash. The company will pay $500,000 for the most dangerous bugs in Apple iOS 9.3 and above — and researchers can choose to take a lump sum or smaller payments which continue to roll in as long as the exploit is still alive.
Exodus is willing to pay researchers by check, wire transfer, Western Union or Bitcoin.
“Exodus is excited to be engaging the global research community in our mission to provide the highest quality of vulnerability intelligence in the industry,” Logan Brown, president of Exodus Intelligence said.
“This additional source of research, supplemented by the investigation and validation of our world-class team, will continue to ensure that our clients receive early notification of the most critical vulnerabilities so that they can offer the best defense possible.”
The iPad and iPhone maker may be offering double the top reward that Google does, but due to the popularity of Apple devices, zero-day exploits and software flaws are hot property for third-party sellers. It is possible for anyone with the funds to purchase vulnerabilities and exploit kits through the Dark web, but governments and law enforcement are also very interested in such disclosures.
As more tech vendors shift towards encryption by default, law enforcement is finding it difficult to tap into these devices in the search for criminal evidence. The FBI, for example, reportedly paid over $1 million to security researchers who came forward with an exploit to crack San Bernardino shooter Syed Farook’s iPhone.
While customers with deep pockets exist, so will third-party exploit sellers — and this is not the first time exploit hunters have offered bigger rewards than the official vendor to hunt down and report potentially lucrative bugs — and will likely not be the last time, either.
In November, exploit peddler Zerodium awarded $1 million for demonstrating a remote exploit for Apple’s iOS 9 mobile operating system.