A leading zero day exploit broker, Zerodium, has published its bounty figures for the amounts they will pay to the bounty hunters. The firm has revised their prices and in the new bounty list, the highest figure has been set for the iOS platform, and is now up to $1.5 million for any fully functional or reliable exploit that meet the ZERODIUM requirements. The last figure before the revision was just $500,000.
The firm was formed back in July 2015 by the founder of Vupen, Chaouki Bekrar. When the firm was formed, Vupen then stopped trading at the same time. Vupen created its own exploits, ZERODIUM, is well versed in trading of the third party exploits and also has its own research team. The bounties for ZERODIUM range from various prices, for $10,000 for applications such as the vBulletin, WordPress, Joomla and Drupal up to the $1.5 million mark. Android follows distantly with the bounty prices coming up at $200,000.
Back in November 2015, the company awarded a $1 million bounty to a team of hackers who had managed to disclose a remote browser which was based on the untethered jail break which had been working on the iOS 9.1 and iOS 9.2 beta.
The notion is that most of the iOS zero days are hard to find but they good to sell. There are some organizations which are willing to pay the mark up given by ZERODIUM at $2 million for an exploit limit. The FBI Director, James Comey speaking at a London security forum which was hosted by the Aspen Institute, said that the law enforcement agency had paid about $1.3 million to a third party player so that he could break the iPhone of the San Bernardino shooter.
The founder and CEO of security company, High-Tech Bridge, said that the service offered by Zerodium was controversial. Gartner notes that through 2020, 99 percent of the vulnerabilities which will be exploited will still be the ones which are known by the security and IT professionals for at least one year. However, he said that there were going to be some exceptions such as that showed by the issue of the San Bernardino shooter.
Drew Koenig, a security solutions architect over at Magenic said that there had been NSA dumps which show that zero day vulnerabilities exist and they are kept secret from the vendors when they are noticed. He added that if Zerodium was able to pay millions for these vulnerabilities then they clearly got more from using it somehow. Those that will buy them will keep them a secret. Only non ethical companies would not tell the vendors about the flaws, he said.