Notorious exploit broker Zerodium has tripled the reward for zero-day exploits in iOS 10 to an astonishing $1.5 million in a move that will keep Apple security teams busy.
The firm, which describes itself as “the premium acquisition program for zero-day exploits and advanced cybersecurity research,” also doubled the reward for Android 7 exploits to $200,000.
Flash RCE exploits now pay up to $100,000 – up from $80,000 – and Microsoft Edge and IE as well as Safari on Mac exploits will pay out $80,000, up from $50,000.
Zerodium boasts that all submitted research will be evaluated in under a week and payment is wired to the developer in a week or less.
The firm also claimed it may go even higher than the new prices for “exceptional exploits or research.”
Its business is a controversial one, given that the firm is effectively peddling exploits to governments so they can spy on people.
It’s up to the respective governments whether they use the tools responsibly to monitor terrorist suspects and catch criminals or, as in a recent case, to spy on human rights activists.
Last month Apple was forced to patch ‘Trident’ – a chain of three zero-day exploits designed to deliver the Pegasus spyware.
It is thought the UAE government had paid an exploit broker for the code, mainly because it was flagged by internationally renowned campaigner Ahmed Mansoor, who spotted a suspicious looking text message sent to his iPhone containing what turned out to be a malicious link.
The sums Zerodium and other similar companies are willing to pay out are in stark contrast to the rather more moderate bug bounty programs run by the tech companies themselves.
Apple, for example, will only pay up to $250,000. However, the brokers like Zerodium want only high quality exploits that work seamlessly and are “fully functional,” so the bar is set higher for the vulnerability researchers vying for a pot of cash.