Last week, Apple finally joined other technology giants and announced a bug bounty programme, where hackers can submit details of previously unknown vulnerabilities in Apple systems and devices, and get paid for sharing them with the company. But Apple is not going to be without competition.
On Wednesday, established bug-hunting company Exodus Intelligence launched its own new acquisition programme for both vulnerabilities and exploits. And when it comes to iOS bugs, the company is offering up to more than double Apple's maximum payout. While Apple's highest bounty is $200,000, Exodus is advertising a maximum of $500,000 for vulnerabilities affecting iOS 9.3 or above.
Exodus provides details of vulnerabilities and working exploits to customers who pay a subscription fee of around $200,000 per year, according to Time. Those customers could be on the defensive side—such as antivirus vendors who want to plug newly discovered holes—or part of an offensive team using the exploit to target systems themselves. On its site, Exodus emphasises the former, writing that it "works with the research community to find these attacks first and make them available to security vendors and enterprises, allowing them to deploy defenses before their adversaries can attack."
Traditionally, companies like Exodus pay more for vulnerabilities than the tech giants affected. Indeed, if that wasn't the case, researchers looking for a payday may instead just inform Apple, which would then patch the vulnerability for everyone, making the attack lose its financial value.
Those who submit their bugs to Exodus could receive extra cash on top of the lump sum for every quarter that the zero-day is still alive, and can be paid by check, wire transfer, Western Union, or Bitcoin, according to the website.
It's not clear what sort of attack would warrant the $500,000
There are some differences between the Apple and Exodus programmes. Apple lists specific areas it is trying to cover, such as secure boot firmware, vulnerabilities that allow extraction of confidential material from the Secure Enclave (a special section of the device that stores, amongst other things, the user's fingerprint data), and execution of arbitrary code with kernel privileges (the kernel being the heart of the operating system).
Exodus, meanwhile, doesn't point to any particular iOS targets, so it's not clear what sort of attack would warrant the $500,000. (Update: Logan Brown, president of Exodus Intelligence, told Motherboard in an email that the maximum $500,000 payout is awarded to a full chain of vulnerabilities that attain remote code execution and the ability to persist on the device. "We do require a reliable exploit for the purchase, so our programme differs from Apple, as they are interested in vulnerabilities in their security architecture, and do not require the exploit," Brown added.)
Last year, Zerodium, another vulnerability company, paid $1 million to a group of hackers who compromised a device using a number of issues in Chrome and iOS. That figure was a one-time offer, and Zerodium's bounty for an iOS exploit has since halved to $500,000 too.
As well as the heftier maximum payouts, anyone can register on Exodus's site to submit vulnerabilities, while Apple's programme is by invitation-only, at least for the time being.
Exodus publishing its price list is a sign of an emerging trend in the zero-day business. Previously a trade largely conducted in private, Exodus is now the second company to go public with its prices, after Zerodium. Exodus's "current hitlist" also includes Google Chrome, Microsoft EDGE, and Firefox, and the company is also paying for exploits of already-known vulnerabilities.