Zero-Day Hunters Will Pay Over Twice as Much as Apple's New Bug Bounty Programme

Joseph Cox, writing for Motherboard: Last week, Apple finally joined other technology giants and announced a bug bounty programme, where hackers can submit details of previously unknown vulnerabilities in Apple systems and devices, and get paid for sharing them with the company. But Apple is not going to be without competition. On Wednesday, established bug-hunting company Exodus Intelligence launched its own new acquisition programme for both vulnerabilities and exploits. And when it comes to iOS bugs, the company is offering up to more than double Apple's maximum payout. While Apple's highest bounty is $200,000, Exodus is advertising a maximum of $500,000 for vulnerabilities affecting iOS 9.3 or above. Exodus provides details of vulnerabilities and working exploits to customers who pay a subscription fee of around $200,000 per year, according to Time. Those customers could be on the defensive side -- such as antivirus vendors who want to plug newly discovered holes -- or part of an offensive team using the exploit to target systems themselves. On its site, Exodus emphasises the former, writing that it "works with the research community to find these attacks first and make them available to security vendors and enterprises, allowing them to deploy defenses before their adversaries can attack."

And they won't need to pre-approve you

[Chas]

This is why Apple's bug bounty program is a complete and utter sham.

Re:And they won't need to pre-approve you

[_Sharp'r_]

Now if they don't demand exclusivity... or if you and a "friend" can submit very similar bugs to each program separately and reap multiple rewards...

Re:And they won't need to pre-approve you

[wardrich86]

Or maybe it's because the governme- I mean the Zero-Day hunters - have a bigger wallet than Apple?

Re:And they won't need to pre-approve you

Wallet? No. Line of credit? Sure.

Re:And they won't need to pre-approve you

There exist people on earth with technical expertise who also enjoy things like being a nice person and following the law. When provided with a way to do so that benefits society they will even if criminal elements happen to be paying more.

Maybe you should spend more time being the change you want to see in the world and less time making cute slashdot comments. Food for thought.

Re:And they won't need to pre-approve you

Nice people don't get sports cars.

Re:And they won't need to pre-approve you

[Aereus]

This is true, but at the same time, when you have as much capital on-hand as Apple, why not pay more than the bad guys to make sure you get the majority of the exploits? The only ones that will keep them close to the hip are those that find out the exploit AND figure they can personally benefit more by using it. That is a much smaller portion of the bug hunters.

Bug bounties are usually way under-valued

Think about the damage to goodwill alone if your product had a vulnerability that was known to bad actors but not to the company because it was too cheap to pay for it.

Apple should subscribe to Exodus

[paulpach]

The solution is obvious: Apple should get a subscription from Exodus. It could be much cheaper than buying each individual security vulnerability from researchers.

Re: Apple should subscribe to Exodus

Assuming that they don't have a shell company doing it already.

Re:Apple should subscribe to Exodus

[Solandri]

I would imagine that on the black hat side, there's a price premium if a vulnerability has not yet been disclosed to the platform's vendor. If Exodus is agnostic and allowed Apple to join, that would increase the value of vulnerabilities sold elsewhere instead of to Exodus, meaning they are less likely to show up on Exodus. If Exodus is in it to maximize profit even if it means favoring the black hats, they have a profit incentive to keep Apple (and other vendors) out of their subscription base. Either way, it's unlikely Apple would recoup their subscription fee to Exodus as a cost-cutting measure as you are suggesting.

That's the tricky thing about the market and market pricing. It doesn't just influence the behavior of actors on the demand side as you're assuming. It also influences the behavior of actors on the supply side. The "value" of a vulnerability is basically how much a black hat could steal using it, minus the costs associated with effort and resources to exploit that vulnerability. Apple needs to pay more than that net value to get people to turn their vulnerability over to them instead of to someone else, any way you slice it.

Re:Apple should subscribe to Exodus

There is a certain convenience to selling to Apple that allows a lower price to be palatable. Starting with ease of finding the buyer and ending with less legal issues. A bug bounty program should not be offering the "black market value" because it is no longer a black market transaction. Remember - Apple just has to find the lowest price ONE person will accept for the bug - not the "value" of exploiting the bug or that other people are asking.

Also, the existence of the bounty program may place uncertainty on black market value of a bug. More independent labor searching for bugs + and incentive to report could increase the uncertainty around any exploit purchase. How does the buyer know the bug hasn't been reported and will be fixed shortly?

White hats, gray hats, and even black hats all probably can put a $ value not dealing with shady people and ending up in prison. Apple has attempted to guess that value. While I am no expert on this - I assume some security firms may have some idea the effort required to find a bug and the probability they may find one. If that weighted cost is less than the bounty reward it becomes a legitimate business decision to hire labor to attack the problem.

Well I offer ONE MILLION dollars

For an exploit that lets me take over the world.

Or make 3X the money

Submit to the hackers first, then Apple second!

um...

Doesn't all this bug bounty shit just encourage people to team up and sell a perfect exploit to the bad guys and an imperfect report to several of the good guys?

To profit from a war, become an arms dealer and sell to everyone - that's always been my principle in my field. Sell not to help one side win, but to make sure the war lasts as long as possible Why would it be any different here?

Re: um...

Welling to blackhats means potential jail time, and unlike arms dealers without a weapon when people come for you.

Re: um...

I would assume selling to blackhats involves selling to a foreign exploit clearinghouse that ostensibly sells on to security software providers, never actually selling directly to leet hax0rs...

Obvious motivation

[cosm]

Is that they then sell the vulnerability to highest government bidder.

sounds more like a...

cia / nsa front to me.

It was $1M last year

[tlhIngan]

Face it, Apple can never outbid on bugx.

I mean, last year, they offered 3 prizes of $1M each for a jailbreak (one of which was claimed).

At a time when Windows and Android exploits go for maybe $10,000 each regularly and $100k tops, iOS vulnerabilities exceed that.

Re:It was $1M last year

Maybe they should give out root access to paying customers then. Fuck Apple. I liked them better when Jobs was at the helm, but I am admittedly an asshole too. Say what you will about the tenets of national Jobsianism, but at least it's an ethos.

Whoa surprise there

[American+AC+in+Paris]

"Thinly-Veiled Extortion Racket Offers Large Amounts Of Totally Legitimate Money"

Re:Whoa surprise there

[American+AC+in+Paris]

Sorry, sorry, would have been more accurate to have said "Protection Racket" instead of "Extortion Racket".

Bug-Hunters?

[mseeger]

Looking at their web-site they sound more like weapon dealers to me: "The team employs exclusive in-house techniques to create a working exploit tool for the vulnerability" and "We design our offerings such that our clients can digest the information regardless of their intended implementation."

If only this were an APPLE FBI site though?

This is an FBI Microsoft site.

Pretty pathetic editing

Pretty pathetic editing when you misspell the word "program" in the title. Go read a book and learn something you sack of illiterate dicks.

Sure

I think the point is that a bug-finder can at least get paid for doing the 'right thing' instead of not.

The black market is likely to be more lucrative in nearly any endeavor.

Re:Sure

Exactly this. 0day developers have nowhere to go but the black market.

Shut them down

If Apple is already paying for bug hunting, then we don't need a parasite out there misdirecting and creating security problems for the criminal element to use (yes, that includes warrantless spying).