Want CNET to notify you of price drops and the latest stories?

Exploit broker offers $500,000 for iOS bugs

The $200,000 Apple is offering for bugs now seems like small change.

Charlie Osborne Contributing Writer
Charlie Osborne is a cybersecurity journalist and photographer who writes for ZDNet and CNET from London. PGP Key: AF40821B.
Charlie Osborne
2 min read
Sarah Tew/CNET

It was only last week that Apple finally launched a bug bounty program, but it didn't take long for exploit peddlers to outbid the tech giant.

Enlarge Image

Exodus' current list of most wanted exploits.


Apple is offering security researchers up to $200,000 if they privately disclose serious, critical holes in software rather than take such vulnerabilities and exploits elsewhere. However, Exodus Intelligence upped the game on Tuesday by raising Apple's bid, luring researchers with rewards of up to half a million for valid Apple software bugs.

The exploit trader has launched a "hit list" of the hottest, most wanted exploits for software including Apple iOS, Google Chrome, Microsoft Edge and Adobe Flash. The company will pay $500,000 for the most dangerous bugs in Apple iOS 9.3 and above -- and researchers can choose to take a lump sum or smaller payments which continue to roll in as long as the exploit is still alive.

Exodus is willing to pay researchers by check, wire transfer, Western Union or Bitcoin.

"Exodus is excited to be engaging the global research community in our mission to provide the highest quality of vulnerability intelligence in the industry," said Logan Brown, president of Exodus Intelligence. "This additional source of research, supplemented by the investigation and validation of our world-class team, will continue to ensure that our clients receive early notification of the most critical vulnerabilities so that they can offer the best defense possible."

The iPad and iPhone maker may be offering double the top reward that Google does, but due to the popularity of Apple devices, zero-day exploits and software flaws are hot property for third-party sellers. It is possible for anyone with the funds to purchase vulnerabilities and exploit kits through the dark web, but governments and law enforcement are also very interested in such disclosures.

As more tech vendors shift towards encryption by default, law enforcement is finding it difficult to tap into these devices in the search for criminal evidence. The FBI, for example, reportedly paid security researchers who came forward with an exploit to crack San Bernardino shooter Syed Farook's iPhone.

While customers with deep pockets exist, so will third-party exploit sellers -- and this is not the first time exploit hunters have offered bigger rewards than the official vendor to hunt down and report potentially lucrative bugs -- and will likely not be the last time, either.

In November, exploit peddler Zerodium awarded $1 million for demonstrating a remote exploit for Apple's iOS 9 mobile operating system.

This story originally posted as "Exploit broker steals Apple thunder, offers $500,000 for iOS zero days" on ZDNet.