Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
IOS Security Apple

Zero-Day Hunters Will Pay Over Twice as Much as Apple's New Bug Bounty Programme ( 29

Joseph Cox, writing for Motherboard: Last week, Apple finally joined other technology giants and announced a bug bounty programme, where hackers can submit details of previously unknown vulnerabilities in Apple systems and devices, and get paid for sharing them with the company. But Apple is not going to be without competition. On Wednesday, established bug-hunting company Exodus Intelligence launched its own new acquisition programme for both vulnerabilities and exploits. And when it comes to iOS bugs, the company is offering up to more than double Apple's maximum payout. While Apple's highest bounty is $200,000, Exodus is advertising a maximum of $500,000 for vulnerabilities affecting iOS 9.3 or above. Exodus provides details of vulnerabilities and working exploits to customers who pay a subscription fee of around $200,000 per year, according to Time. Those customers could be on the defensive side -- such as antivirus vendors who want to plug newly discovered holes -- or part of an offensive team using the exploit to target systems themselves. On its site, Exodus emphasises the former, writing that it "works with the research community to find these attacks first and make them available to security vendors and enterprises, allowing them to deploy defenses before their adversaries can attack."
This discussion has been archived. No new comments can be posted.

Zero-Day Hunters Will Pay Over Twice as Much as Apple's New Bug Bounty Programme

Comments Filter:
  • This is why Apple's bug bounty program is a complete and utter sham.

    • Now if they don't demand exclusivity... or if you and a "friend" can submit very similar bugs to each program separately and reap multiple rewards...

    • Or maybe it's because the governme- I mean the Zero-Day hunters - have a bigger wallet than Apple?
  • The solution is obvious: Apple should get a subscription from Exodus. It could be much cheaper than buying each individual security vulnerability from researchers.

    • I would imagine that on the black hat side, there's a price premium if a vulnerability has not yet been disclosed to the platform's vendor. If Exodus is agnostic and allowed Apple to join, that would increase the value of vulnerabilities sold elsewhere instead of to Exodus, meaning they are less likely to show up on Exodus. If Exodus is in it to maximize profit even if it means favoring the black hats, they have a profit incentive to keep Apple (and other vendors) out of their subscription base. Either w
  • Is that they then sell the vulnerability to highest government bidder.
  • It was $1M last year (Score:5, Interesting)

    by tlhIngan ( 30335 ) <> on Wednesday August 10, 2016 @12:51PM (#52678311)

    Face it, Apple can never outbid on bugx.

    I mean, last year, they offered 3 prizes of $1M each for a jailbreak [] (one of which was claimed).

    At a time when Windows and Android exploits go for maybe $10,000 each regularly and $100k tops, iOS vulnerabilities exceed that.

  • "Thinly-Veiled Extortion Racket Offers Large Amounts Of Totally Legitimate Money"
  • Looking at their web-site they sound more like weapon dealers to me: "The team employs exclusive in-house techniques to create a working exploit tool for the vulnerability" and "We design our offerings such that our clients can digest the information regardless of their intended implementation."

  • by Anonymous Coward

    I think the point is that a bug-finder can at least get paid for doing the 'right thing' instead of not.

    The black market is likely to be more lucrative in nearly any endeavor.

Pascal is not a high-level language. -- Steven Feiner