While Apple touts iOS for being the most secure mobile operating system out there, black hat security company Zerodium has now increased its zero-day iOS 10 maximum bounty to $1.5M, $500K more than it was in iOS 9.
For those out of the loop, a zero-day exploit or vulnerability is a breach in security that is found before the OS launches or is known in the first weeks of an operating system being released.
In this case, Zerodium has yet to find a zero-day exploit and says that there is improved security in the latest version of iOS. The company’s founder also explains why iOS exploits are more valuable than Android ones, (via Arstechnica).
“Prices are directly linked to the difficulty of making a full chain of exploits, and we know that iOS 10 and Android 7 are both much harder to exploit than their previous versions,” he told Ars. Asked why a string of iOS exploits commanded 7.5 times the price of a comparable one for Android he said: “That means that iOS 10 chain exploits are either 7.5 x harder than Android or the demand for iOS exploits is 7.5 x higher. The reality is a mix of both.”
Security researchers have a higher incentive to sell their exploits to companies like Zerodium rather than report to Apple as Apple is only offering a maximum $200K, those Ars says that’s not completely true.
To qualify for a Zerodium bounty, the chain must generally work almost flawlessly to surreptitiously give an attacker complete control over the targeted device. In the parlance of hackers, that’s called a weaponized exploit. It’s not enough that a researcher provides only a rough outline of the vulnerabilities with a less-than-perfect proof-of-concept exploit. The bounties paid by Apple and Google, by contrast, are much less demanding, and as a result, they generally require less work.