“A security firm is offering up to $500,000 for information on zero-day vulnerabilities in iOS, surpassing Apple’s bug bounty just days after it was announced,” Michael Kan reports for IDG News Service.
“On Tuesday, Texas-based Exodus Intelligence said it will give between $5,000 and $500,000 for zero-day vulnerabilities relating to iOS version 9.3 and higher,” Kan reports. “Exodus’s announcement might draw interest away from Apple’s own bug bounty program, which was unveiled last week. Apple is giving as much as $200,000 for critical vulnerabilities in iOS.”
“Xero-day vulnerabilities are also valuable to private security companies. Exodus Intelligence makes its business by alerting clients of critical threats before the software providers and hackers even know of them,” Kan reports. “The company claims it can warn clients of the flaws up to two years in advance.”
Read more in the full article here.
MacDailyNews Take: The more, the merrier! Thanks to these new programs, Apple product users will enjoy even more security and privacy protections.
SEE ALSO:
Apple’s new bug bounty program offers some of the highest rewards in history
Friday, August 5, 2016
Security firm puts $1 million bug bounty on iOS 9 – September 21, 2015
What’s very interesting is that the bounty is now half a million dollars.
There is no chance anyone will offer more than $100 for finding holes in Windows (or Android). They’d go bankrupt at the end of the first month…
Actually, Zero day vulnerability for Windows, especially one that is capable of infecting a computer with a payload with no user interaction can be worth a million easy.
As long as Exodus informs Apple of those bugs before they tell the general public, I’m all for this.
I cannot imagine that they would. The vulnerability is only worth money when Apple and the general public don’t know about it. The moment it is known, it becomes pretty much worthless because Apple will fix right away. I can only surmise that they are offering money for vulnerabilities because they intend to sell or exploit themselves.
*DING* Total agreement.
I was thinking the exact same thing!
😕
Someone’s going bankrupt soon!!!
Ahem. The only reason I can imagine a company paying MORE than Apple for zero-day (<–correct spelling) exploits is because they are going to SELL THEM TO SOMEONE. Possibly, they want to hold the zero-day for ransom 😉 until Apple coughs up a $Million, AND/OR they want to sell the zero-day to someone who WILL pay the ransom, such as the FBI or worse.
I always champion the hackers who dig up and reveal Apple security flaws! But when it’s a competition between Apple and the hackers as to WHO WILL PAY MORE for zero-day exploits, I get damned worried. This is likely NOT a good thing.
A security company can also make money by offering clients a way to hack into Macs as part of a “forensics” package. People like Hacking Team, who are notorious for selling their products to governments.
Then of course there is our own NSA, CIA and the rest of the alphabet soup that competes for zero day exploits. The FBI has supposedly spent $775,000 on Hacking Team’s flagship product.
Stuff is worth big dollars. As the Mac grows in popularity so do Mac exploits.
And you don’t want to try double dipping either. I.e. sell your exploit to more than one entity. Barring Apple, most of these folks don’t play nice.
A Zero day known only to one company or group can find its way into networks and stay there for years. $$$$$$ in value.
Here is a novel idea. If the government was serious about electronic security they should let these payment be tax free.
Also, any expenses incurred in finding the bug should be tax deductible.
Should have said, the payments from Apple. NOT the payment from any other source.
Except Apple will actually pay.
Unintended consequence? encourages development of zero-day vulnerability that now has an economic upside
Apple needs to add lunch with Tim and Jony at Cafe Macs to their bounty.
Apple would be a shadow bidder and walk away with the goods.