Want to make US$1.5m this weekend? Just jailbreak iOS
Zerodium triples iOS exploit bounty to $1.5M, doubles 'droid to $200k
Exploit broker Zerodium has tripled its bug bounty for a remote iOS 10 jailbreak vulnerability to US$1.5 million.
The outfit previously offered US$500,000 for remote iOS 9 jailbreaks, which was temporarily increased last year when a US$1 million reward was paid out in November to an unnamed hacker group.
The increase is designed to attract more researchers to seek complex exploit chains in Apple's mobile operating system.
Hackers will score the payout within a week of submitting the vulnerability and a polished and weaponised proof-of-concept.
Zerodium also doubled rewards for remote rooting vulnerabilities on Android versions six Marshmallow and seven Nougat to US$200,000.
Chief executive officer Chaouki Bekrar says the increase is in line with demand and the tougher security of the latest iOS and Android operating systems.
While the payouts dwarf vulnerability rewards offered to researchers by Apple and Google, it requires researchers invest much more effort into weaponising their work.
The weaponisation effort aside, for equivalent remote jailbreak bugs Cupertino will pay a max bounty of US$250,000 while Mountain View will pay US$38,000.
Zerodium and other exploit broker firms are a polarising force within the security industry. The bugs those firms purchase for large sums of cash are offered to undisclosed subscribing customers, and not reported to vendors since a respective patch would render the exploits obsolete on the latest targeted systems.
Yet some hackers forgo all payment and develop and release jailbreaks for free, despite Apple and Zerodium dangling big cheques. Among those willing to work for free are Chinese hacking group known as Pangu Team who told this reporter they release exploits for love, not money, as a means to grant the research community an avenue to more deeply probe into iOS. ®