Exploit Broker Offers A Whopping $1.5 Million In iOS 10 Bug Bounties To Sell To Government Spies

A start-up that sells security exploits to government agencies is willing to pay big money for remote hacks on iOS 10, the latest version of Apple's mobile operating system. Specifically, the top award is now an eye popping $1.5 million, or three times the previous award, for remote hacks that work against up-do-date iPhone and iPad devices running iOS 10.

The company is called Zerodium. It bills itself as the premium exploit acquisition platform for high-end zero-days and advanced vulnerability research. Zerodium's only been in business for a year but is well known in tech circles for its controversial business model and open advertising of seeking exploits for specific reward amounts, which are usually very large.

iPhone 7

Here's a look at the updated rates for various exploits:
  • Apple iOS 10 (remote jailbreak): $1,500,000 (up from $500,000)
  • Android 7 (remote jailbreak): $200,00 (up from $100,00)
  • Flashe (RCE) + Sandbox Escape: $100,00 (up from $80,000)
  • MS Edge + IE (RCE) + Sandbox Edge: $80,000 (up from $50,000)
  • Safari on Mac (RCE) + Sandbox Escape: $80,000 (up from $50,000)
  • OpenSSL or PHP (RCE): $50,000 (up from $40,000)
  • MS Windows REader App (RCE): $50,000 (up from $30,000)
  • MS Office Word/Excel (RCE): $40,000 (up from $30,000)
Prices are up across the board, including a doubling of the amount Zerodium's willing to pay for remote Android 7 vulnerabilities. The company promises to evaluate and verify all submitted exploits within a week or less, and if they qualify, make a payment by wire transfer also within a week or less.

In 2015, the company offered $1 million for iOS exploits with a $3 million ceiling, but dropped the price to $500,000 after paying out three qualifying submissions. Zerodium founder Chaouki Bekrar tells Arstechnica that the new and higher rates—triple the reduced amount from last year for iOS—reflect improvements that Apple and Google made to their respective OSes, which are now harder to hack.

"Prices are directly linked to the difficulty of making a full chain of exploits, and we know that iOS 10 and Android 7 are both much harder to exploit than their previous versions," Bekrar said.

He also explained that the reason iOS 10 pays out 7.5X more than Android 7 exploits is either because Zerodium deemed iOS 10 to be 7.5X more difficult to exploit or because demand for such exploits is 7.5X higher.