Security firm Zimperium will spend US$1.5 million buying hacks targeting flaws in three-year-old Android KitKat and ancient versions of iOS.
The California threat detection company internet arms dealer will splash cash acquiring private exploits against public patched vulnerabilities dating back to at least the 2013 Android platform that was in March overtaken as Google's most popular mobile operating system.
It explicitly does not want zero day exploits.
The snapping up of exploits for existing vulnerabilities is a rather novel concept given that subscription hack brokers such as Vupen and Zerodium pay elephant bucks for exclusive zero day.
Old exploits, however, are the highly effective bread and butter of black hat hacking. Zero days are harder to find and use.
Zimperium founder Zuk Avraham says the exploits will be handed to its private list of mobile phone clients including major carriers and manufacturers like Samsung and Blackberry. Subscribers will have between one and three months to brew patches or apply available fixes before the exploits are revealed online, unless the disclosing researcher objects.
The exploits, which require proof-of-concept demonstrations, will also help train the company's internal threat detection systems it sells to clients.
"We will provide ZHA (mobile phone) partners between one to three months advanced notice, before releasing the exploit publicly, unlike most exploit acquisition programs," Avraham says.
"We would like to encourage security researchers to provide proofs for exploitation of known vulnerabilities … multiple ZHA partners explained to us that without proof of exploitability, it’s hard to convince the security teams to allocate resources needed for a complete patch cycle, even for known issues.
"We hope this program will encourage more researchers to look into monthly security updates, and promote better patching."
'Beautiful' and remote exploits will be paid more than local hacks, with figures determined by Zimperium's respected hacker crew.
Information disclosure and other vulnerability classes are eligible for payment and crediting.
Android's diverse ecosystem features dozens of versions and variants. That makes it hard to keep up and means telcos and handset-makers seldom push updates to users.
Only Apple devices and Google's Nexus and Pixel lines receive immediate patching. All other devices that sport modified Android operating systems must wait for reluctant manufacturers to push patches into their platforms. That effort often takes months, if it happens at all.
This diversity can be an odd security boon since it means exploits that sometimes need to be tweaked to target different handset models. Attackers don't have unlimited resources either, so even when they know about a bug they must decide which 'Droids to target. ®