Zero-Day Hunters Will Pay Over Twice as Much as Apple's New Bug Bounty Programme (vice.com) 29

Posted by msmash on Wednesday August 10, 2016 @11:05AM from the please-take-my-money dept.

Joseph Cox, writing for Motherboard: Last week, Apple finally joined other technology giants and announced a bug bounty programme, where hackers can submit details of previously unknown vulnerabilities in Apple systems and devices, and get paid for sharing them with the company. But Apple is not going to be without competition. On Wednesday, established bug-hunting company Exodus Intelligence launched its own new acquisition programme for both vulnerabilities and exploits. And when it comes to iOS bugs, the company is offering up to more than double Apple's maximum payout. While Apple's highest bounty is $200,000, Exodus is advertising a maximum of $500,000 for vulnerabilities affecting iOS 9.3 or above. Exodus provides details of vulnerabilities and working exploits to customers who pay a subscription fee of around $200,000 per year, according to Time. Those customers could be on the defensive side -- such as antivirus vendors who want to plug newly discovered holes -- or part of an offensive team using the exploit to target systems themselves. On its site, Exodus emphasises the former, writing that it "works with the research community to find these attacks first and make them available to security vendors and enterprises, allowing them to deploy defenses before their adversaries can attack."

Zero-Day Hunters Will Pay Over Twice as Much as Apple's New Bug Bounty Programme

This discussion has been archived. No new comments can be posted.

Load All Comments

Search 29 Comments Log In/Create an Account

Comments Filter:

And they won't need to pre-approve you (Score:2)

by Chas ( 5144 ) writes:

This is why Apple's bug bounty program is a complete and utter sham.
- Re: (Score:3)
  
  by _Sharp'r_ ( 649297 ) writes:
  
  Now if they don't demand exclusivity... or if you and a "friend" can submit very similar bugs to each program separately and reap multiple rewards...
- Re: (Score:3)
  
  by wardrich86 ( 4092007 ) writes:
  
  Or maybe it's because the governme- I mean the Zero-Day hunters - have a bigger wallet than Apple?
- - Re: (Score:2)
    
    by Aereus ( 1042228 ) writes:
    
    This is true, but at the same time, when you have as much capital on-hand as Apple, why not pay more than the bad guys to make sure you get the majority of the exploits? The only ones that will keep them close to the hip are those that find out the exploit AND figure they can personally benefit more by using it. That is a much smaller portion of the bug hunters.
Apple should subscribe to Exodus (Score:2, Insightful)

by paulpach ( 798828 ) writes:

The solution is obvious: Apple should get a subscription from Exodus. It could be much cheaper than buying each individual security vulnerability from researchers.
- Re: (Score:2)
  
  by Solandri ( 704621 ) writes:
  
  I would imagine that on the black hat side, there's a price premium if a vulnerability has not yet been disclosed to the platform's vendor. If Exodus is agnostic and allowed Apple to join, that would increase the value of vulnerabilities sold elsewhere instead of to Exodus, meaning they are less likely to show up on Exodus. If Exodus is in it to maximize profit even if it means favoring the black hats, they have a profit incentive to keep Apple (and other vendors) out of their subscription base. Either w
Obvious motivation (Score:2)

by cosm ( 1072588 ) writes:

Is that they then sell the vulnerability to highest government bidder.
It was $1M last year (Score:5, Interesting)

by tlhIngan ( 30335 ) writes: <slashdot&worf,net> on Wednesday August 10, 2016 @11:51AM (#52678311)

Face it, Apple can never outbid on bugx.
I mean, last year, they offered 3 prizes of $1M each for a jailbreak [zerodium.com] (one of which was claimed).
At a time when Windows and Android exploits go for maybe $10,000 each regularly and $100k tops, iOS vulnerabilities exceed that.

Whoa surprise there (Score:2)

by American AC in Paris ( 230456 ) writes:

"Thinly-Veiled Extortion Racket Offers Large Amounts Of Totally Legitimate Money"
- Re: (Score:2)
  
  by American AC in Paris ( 230456 ) writes:
  
  Sorry, sorry, would have been more accurate to have said "Protection Racket" instead of "Extortion Racket".
Bug-Hunters? (Score:2)

by mseeger ( 40923 ) writes:

Looking at their web-site they sound more like weapon dealers to me: "The team employs exclusive in-house techniques to create a working exploit tool for the vulnerability" and "We design our offerings such that our clients can digest the information regardless of their intended implementation."
Sure (Score:1)

by Anonymous Coward writes:

I think the point is that a bug-finder can at least get paid for doing the 'right thing' instead of not.
The black market is likely to be more lucrative in nearly any endeavor.

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Zero-Day Hunters Will Pay Over Twice as Much as Apple's New Bug Bounty Programme (vice.com) 29

Zero-Day Hunters Will Pay Over Twice as Much as Apple's New Bug Bounty Programme More Login

Zero-Day Hunters Will Pay Over Twice as Much as Apple's New Bug Bounty Programme

And they won't need to pre-approve you (Score:2)

Re: (Score:3)

Re: (Score:3)

Re: (Score:2)

Apple should subscribe to Exodus (Score:2, Insightful)

Re: (Score:2)

Obvious motivation (Score:2)

It was $1M last year (Score:5, Interesting)

Whoa surprise there (Score:2)

Re: (Score:2)

Bug-Hunters? (Score:2)

Sure (Score:1)

Related Links Top of the: day, week, month.

Slashdot Top Deals

Slashdot