‘Gray hat’ cyber firm outbidding Apple for iOS zero-days
A Texas-based cybersecurity firm announced this week it will offer up to $500,000 for newly discovered security holes in Apple’s mobile operating system, iOS — effectively outbidding the tech giant’s own bug bounty program just days after it was unveiled.
‘Want $200k for an iOS hack — head to #Apple. Want real $$? You know where to find us,’ tweeted Austin, Texas-based Exodus Intelligence Tuesday.
In a statement announcing their new ‘Research Sponsorship Program,’ the company said it is ‘focused on acquiring vulnerability research and exploits from the global cybersecurity research community.’
Exodus will also pay big money for new flaws found in Google Chrome ($150,000), Microsoft Edge ($125,000), and Mozilla’s Firefox ($80,000).
Apple’s own big bounty program, announced last week at the 2016 Black Hat security conference, offers a maximum of $200,000.
In addition to newly discovered zero-days, the company also says it will buy exploits — fully developed malicious software — that use existing, known vulnerabilities.
That puts the company firmly in the so-called “gray hat” market segment, with products that can be used for cyber offense — although they say they do due diligence on their customers.
‘Our clients are largely made up of defensive vendors,’ wrote Exodus President Logan Brown in an email to FedScoop. ‘Once we have a report about the vulnerability and exploit written up, we distribute the report to all of our subscribing clients in order for them to build defenses into their products or for red and blue team exercises.’
Exodus is also offering a novel reward system, where, in addition to the bounty, the researcher will get payments ‘every quarter the zero-day exploit is still alive.’
The company also offers payment in the form of the anonymous crypto-currency, bitcoin.