It seems that as soon as the news broke about Apple meeting with top hackers to discuss bug bounties, the private security firm Zerodium decided to make its move and offer 15 times what Apple is offering for a zero-day exploit. As such, it has not only upped the ante for an iOS 10 jailbreak payout. It has also taken on the richest company in the world, which is trying to get its house in order.
Who or what is Zerodium?
Zerodium is an exploit broker which runs a bug bounty program similar to what has been announced by Apple. However, the company has its own agenda and has decided to take on Apple in the information war by paying considerably more.
Right now Apple has offered to pay Luca Tedesco, Patrick Wardle, and Nicholas Allegra and others a set fee of $200,000 for their assistance, which consists of reporting bugs, exploits, etc. But Zerodium has said that it is willing to pay more for an iOS 10 jailbreak due to its difficulty.
On its website, the company says the following: “The amounts paid by Zerodium to researchers to acquire their original zero-day exploits depend on the popularity and security strength of the affected software, as well as the quality of the submitted exploit.”
So unlike Apple, which is willing to pay hackers and researchers for any bug and exploit, Zerodium is not. Instead, it prefers to focus on original unreported exploits, such as an iOS 10 jailbreak. In fact, the company does not solely focus on Apple’s software; it offers rewards for information about other software too.
How much will Zerodium pay for an iOS 10 jailbreak?
According to the company’s website, it will give $100,000 for a remote Windows Phone jailbreak and up to $200,000 for Android. It’s offering a staggering $1.5 million for a remote iOS 10 jailbreak. However, the jailbreak must be functioning and original.
Why such a significant amount for an iOS 10 jailbreak? It’s likely that with so many different nation-state intelligence agencies, law enforcement, and commercial entities having an interest in iOS, Zerodium feels that it can still make a profit even with such big payouts. And it shows just how valuable an exploit of iOS has become.
“ZERODIUM pays premium rewards to security researchers to acquire their original and previously unreported zero-day exploits affecting major operating systems. This means software and devices. While the majority of existing bug bounty programs accept almost any kind of vulnerabilities and PoCs but pay lower rewards. At ZERODIUM we focus on high-risk vulnerabilities with fully functional exploits, and we pay the highest rewards on the market.”
Zerodium has paid up previously
In 2015 when Zerodium was formed, it offered hackers and researchers a bounty of $1 million for an iOS 9 jailbreak. It paid up six weeks after the prize went live; an anonymous hacker collected it. So as you can tell, this company thinks nothing of going toe-to-toe with the biggest and richest company in the world.
However, there are some differences between what Zerodium is doing and what Apple’s bug bounty program hopes to achieve. Apparently Apple is interested in discovering vulnerabilities in iOS‘ secure boot and secure enclave, meaning first-line defenses. Also the bug bounty program is currently being run as an invite-only initiative.
Zerodium, on the other hand, is offering its bounty to all who can deliver what’s required. However, accusations that it is helping spread cybe- war and wrongful surveillance have been thrown at it.