Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-Day Hunters Will Pay Over Twice as Much as Apple's New Bug Bounty Programme (vice.com)

Posted by msmash on from the please-take-my-money dept.

Joseph Cox, writing for Motherboard: Last week, Apple finally joined other technology giants and announced a bug bounty programme, where hackers can submit details of previously unknown vulnerabilities in Apple systems and devices, and get paid for sharing them with the company. But Apple is not going to be without competition. On Wednesday, established bug-hunting company Exodus Intelligence launched its own new acquisition programme for both vulnerabilities and exploits. And when it comes to iOS bugs, the company is offering up to more than double Apple's maximum payout. While Apple's highest bounty is $200,000, Exodus is advertising a maximum of $500,000 for vulnerabilities affecting iOS 9.3 or above. Exodus provides details of vulnerabilities and working exploits to customers who pay a subscription fee of around $200,000 per year, according to Time. Those customers could be on the defensive side -- such as antivirus vendors who want to plug newly discovered holes -- or part of an offensive team using the exploit to target systems themselves. On its site, Exodus emphasises the former, writing that it "works with the research community to find these attacks first and make them available to security vendors and enterprises, allowing them to deploy defenses before their adversaries can attack."

12 of 29 comments (clear)

  1. And they won't need to pre-approve you by Chas · · Score: 1

    This is why Apple's bug bounty program is a complete and utter sham.

    --


    Chas - The one, the only.
    THANK GOD!!!
    1. Re:And they won't need to pre-approve you by _Sharp'r_ · · Score: 2

      Now if they don't demand exclusivity... or if you and a "friend" can submit very similar bugs to each program separately and reap multiple rewards...

      --
      The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
    2. Re:And they won't need to pre-approve you by wardrich86 · · Score: 2

      Or maybe it's because the governme- I mean the Zero-Day hunters - have a bigger wallet than Apple?

    3. Re:And they won't need to pre-approve you by Aereus · · Score: 1

      This is true, but at the same time, when you have as much capital on-hand as Apple, why not pay more than the bad guys to make sure you get the majority of the exploits? The only ones that will keep them close to the hip are those that find out the exploit AND figure they can personally benefit more by using it. That is a much smaller portion of the bug hunters.

  2. Apple should subscribe to Exodus by paulpach · · Score: 1, Insightful

    The solution is obvious: Apple should get a subscription from Exodus. It could be much cheaper than buying each individual security vulnerability from researchers.

    1. Re:Apple should subscribe to Exodus by Solandri · · Score: 1

      I would imagine that on the black hat side, there's a price premium if a vulnerability has not yet been disclosed to the platform's vendor. If Exodus is agnostic and allowed Apple to join, that would increase the value of vulnerabilities sold elsewhere instead of to Exodus, meaning they are less likely to show up on Exodus. If Exodus is in it to maximize profit even if it means favoring the black hats, they have a profit incentive to keep Apple (and other vendors) out of their subscription base. Either way, it's unlikely Apple would recoup their subscription fee to Exodus as a cost-cutting measure as you are suggesting.

      That's the tricky thing about the market and market pricing. It doesn't just influence the behavior of actors on the demand side as you're assuming. It also influences the behavior of actors on the supply side. The "value" of a vulnerability is basically how much a black hat could steal using it, minus the costs associated with effort and resources to exploit that vulnerability. Apple needs to pay more than that net value to get people to turn their vulnerability over to them instead of to someone else, any way you slice it.

  3. Obvious motivation by cosm · · Score: 1

    Is that they then sell the vulnerability to highest government bidder.

    --
    'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
  4. It was $1M last year by tlhIngan · · Score: 4, Interesting

    Face it, Apple can never outbid on bugx.

    I mean, last year, they offered 3 prizes of $1M each for a jailbreak (one of which was claimed).

    At a time when Windows and Android exploits go for maybe $10,000 each regularly and $100k tops, iOS vulnerabilities exceed that.

  5. Whoa surprise there by American+AC+in+Paris · · Score: 1

    "Thinly-Veiled Extortion Racket Offers Large Amounts Of Totally Legitimate Money"

    --

    Obliteracy: Words with explosions

    1. Re:Whoa surprise there by American+AC+in+Paris · · Score: 1

      Sorry, sorry, would have been more accurate to have said "Protection Racket" instead of "Extortion Racket".

      --

      Obliteracy: Words with explosions

  6. Bug-Hunters? by mseeger · · Score: 1

    Looking at their web-site they sound more like weapon dealers to me: "The team employs exclusive in-house techniques to create a working exploit tool for the vulnerability" and "We design our offerings such that our clients can digest the information regardless of their intended implementation."

  7. Sure by Anonymous Coward · · Score: 1

    I think the point is that a bug-finder can at least get paid for doing the 'right thing' instead of not.

    The black market is likely to be more lucrative in nearly any endeavor.