There’s an arms race in the hunt for tradable software vulnerabilities, but it’s not just about methods — price counts, too. Last week, Apple launched its first ever bug bounty program, offering cash rewards of up to $200,000 for ways to compromise its hardware and software. This week, an exploit trading firm named Exodus Intelligence unveiled its own new program for collecting vulnerabilities, which just happens to include a bounty for hacks targeting iOS 9.3 and up worth $500,000 — more than double what Apple is paying.
This isn’t unusual. Private companies regularly offer more money for vulnerabilities than big tech firms, but the relatively open nature of Exodus Intelligence’s hit-list (you have to log-in to see the details, but the general prices are there for everyone) shows how the exploit market is becoming increasingly public. Last year, security firm Zerodium paid $1 million to hackers for an iPhone hack and the offer made headlines — even if Zerodium later lowered this fee to “up to $500,000” for subsequent iOS hacks.
Exodus Intelligence’s hit-list.As well as looking for iPhone exploits, Exodus Intelligence will also pay out for attacks targeting Google Chrome ($150,000), Microsoft Edge ($125,000), and Firefox ($80,000). According to a report from Time (via Motherboard), customers of Exodus Intelligence pay annual subscriptions starting at $200,000 for access to the firm’s database of exploits, with Exodus selling to security firms and antivirus vendors looking to defends users, as well as to clients who want to find their way into protected systems — including government agencies. Freelance bug-hunters who answer Exodus Intelligence’s call can expect to get a one-time payment as well as periodical fees based on how long their exploit stays usable. Payment is available via check, wire transfer, or Bitcoin.