It was only last week that Apple finally launched a bug bounty program, but it didn't take long for exploit peddlers to outbid the tech giant.
Apple is offering security researchers up to $200,000 if they privately disclose serious, critical holes in software rather than take such vulnerabilities and exploits elsewhere. However, Exodus Intelligence upped the game on Tuesday by raising Apple's bid, luring researchers with rewards of up to half a million for valid Apple software bugs.
The exploit trader has launched a "hit list" of the hottest, most wanted exploits for software including Apple iOS, Google Chrome, Microsoft Edge and Adobe Flash. The company will pay $500,000 for the most dangerous bugs in Apple iOS 9.3 and above -- and researchers can choose to take a lump sum or smaller payments which continue to roll in as long as the exploit is still alive.
Exodus is willing to pay researchers by check, wire transfer, Western Union or Bitcoin.
"Exodus is excited to be engaging the global research community in our mission to provide the highest quality of vulnerability intelligence in the industry," said Logan Brown, president of Exodus Intelligence. "This additional source of research, supplemented by the investigation and validation of our world-class team, will continue to ensure that our clients receive early notification of the most critical vulnerabilities so that they can offer the best defense possible."
The iPad and iPhone maker may be offering double the top reward that Google does, but due to the popularity of Apple devices, zero-day exploits and software flaws are hot property for third-party sellers. It is possible for anyone with the funds to purchase vulnerabilities and exploit kits through the dark web, but governments and law enforcement are also very interested in such disclosures.
As more tech vendors shift towards encryption by default, law enforcement is finding it difficult to tap into these devices in the search for criminal evidence. The FBI, for example, reportedly paid security researchers who came forward with an exploit to crack San Bernardino shooter Syed Farook's iPhone.
While customers with deep pockets exist, so will third-party exploit sellers -- and this is not the first time exploit hunters have offered bigger rewards than the official vendor to hunt down and report potentially lucrative bugs -- and will likely not be the last time, either.
In November, exploit peddler Zerodium awarded $1 million for demonstrating a remote exploit for Apple's iOS 9 mobile operating system.
This story originally posted as "Exploit broker steals Apple thunder, offers $500,000 for iOS zero days" on ZDNet.
Apple - USE TAG
reading•Exploit broker offers $500,000 for iOS bugs
Nov 15•Apple's Safari tests 'not secure' warning for unencrypted websites
Nov 15•Tim Cook named ADL's inaugural 'Courage Against Hate' award recipient
Nov 14•Black Friday iPhone deals 2018: $150 off iPhone XR and XS, $400 iPhone X gift card
Nov 14•T-Mobile's early Black Friday deal includes free iPhones, LG and Samsung Galaxy phones