This article is more than 1 year old
$200,000 for a serious iOS bug? Pfft, we'll give you $500,000, says exploit broker Exodus
Market pricing comes to security flaw bounties
Last week Apple made its belated entrance into the bug bounty market, announcing a top award of $200,000 for major flaws in iOS, but Cook & Co have been comprehensively outbid.
On Tuesday, exploit trading firm Exodus Intelligence said it is willing to pay $500,000 for a major flaw in iOS 9.3 and above – and the exploit to use it. Researchers can either take a lump sum or accept a smaller sum and quarterly payments until the exploit is found, which the company's founder told The Reg could add up to even more.
"The majority of our clients are defensive vendors, penetration testers, and red/blue teams," said Logan Brown, president of Exodus.
Apple exploits get the highest reward, reflective of their scarcity. Microsoft and Google's bug bounty programs will also need to up their rewards to match Exodus's prices.
A zero day in Google Chrome would earn a maximum of $150,000, 50 per cent more than the Chocolate Factory's highest cash payout.
Meanwhile, finding a serious flaw in Redmond's Edge browser is worth $125,000 to Exodus, dwarfing the $500 and $1,500 currently offered by Microsoft. There's also $75,000 up for grabs if you can subvert the local privileges in Windows 10 and show how it's done.
Exodus has said it's happy to pay these bounties in check, wire transfer, Western Union, or Bitcoin.
Nevertheless, this is exactly the type of bidding war that major software companies didn't want to see when they started doing bug bounties. Initially prices for vulnerabilities were set low, but are rising to meet market rates. Now security researchers are able to make a decent living practicing their craft.
Security experts are worried that the hoarding of serious flaws will have a deleterious effect on overall security for everyone. Exodus attempted to reassure people on this front by beginning a vulnerability disclosure process back in February, but it only discloses after it has extracted the "maximum value for our customers." ®