iOS exploit bounty expands to $1.5 million

Zerodium, a broker of security exploits, is offering $1.5 million for attacks that work against fully patched iPhones and iPads, reports Ars Technica. That’s triple the size of its previous offer.

Zerodium also doubled, to $200,000, the amount it will pay for attacks that exploit previously unknown vulnerabilities in Google’s competing Android operating system, and the group raised the amount for so-called zeroday exploits in Adobe’s Flash media player to $80,000 from $50,000. After buying the working exploits, the company then sells them to its customers, which include major technology, finance, and defense corporations, as well as government agencies. A zero-day vulnerability is one not yet known to the developer, so companies have zero days to prepare for exploits

“Prices are directly linked to the difficulty of making a full chain of exploits, and we know that iOS 10 and Android 7 are both much harder to exploit than their previous versions,” Zerodium founder Chaouki Bekrar told Ars. Asked why a string of iOS exploits commanded 7.5 times the price of a comparable one for Android he said: “That means that iOS 10 chain exploits are either 7.5 x harder than Android or the demand for iOS exploits is 7.5 x higher. The reality is a mix of both.”

Zerodium buys strings of exploits and flips them to government agencies. The state in turn apply the solutions to compromise target devices for surveillance purposes.

“Zerodium’s move significantly puts upward pressure on the already sky-high prices paid for high-severity vulnerability reports,” notes Dan Goodin, security editor at Ars. “It will also ensure that an ample supply of zeroday exploits remain in the wild, despite the non-trivial strides Apple, Google, and other software makers continue to make in security their products.