Zero-Day Acquisition Platform Triples iOS 10 Bug Bounty to $1.5 Million

Discussion in 'Politics, Religion, Social Issues' started by MacRumors, Sep 30, 2016.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    Exploit acquisition platform Zerodium has increased its reward for a successful jailbreak of iOS 10 to $1.5 million, far surpassing Apple's recent payout offer for discovering and reporting vulnerabilities in its software.

    Late last year, Zerodium briefly offered and paid out $1 million to one hacking team for the successful creation of a browser-based jailbreak for iOS 9.1 and 9.2, but dropped the going rate for an exploit to $500,000.

    [​IMG]

    Rather than report the vulnerabilities to Apple, Zerodium said that it would sell the exploit to its customers, which include major technology, finance, and defense corporations, as well as government agencies.

    Instead of being limited to a specific timeframe, the new $1.5 million reward is a permanent offer that aims to compensate for Apple's recently hardened security regime, said Zerodium founder Chaouki Bekrar.
    At the same time, Zerodium's decision to up its bug bounty can be seen as a response to the imminent launch of Apple's own program.

    Last month at the annual Black Hat Conference, Apple announced the launch of an invite-only Security Bounty Program that would offer rewards of up to $200,000 to researchers depending on the vulnerability discovered. Apple said the program would be limited to a few dozen researchers and would go live in September.

    Earlier this week, several news media outlets were seemingly duped into reporting on an alleged 'secret' meeting of prominent hackers at Apple's Campus in Cupertino, which was supposed to include a briefing on the company's bug bounty program. The meeting was apparently a hoax perpetrated by the hackers themselves.



    Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

    Article Link: Zero-Day Acquisition Platform Triples iOS 10 Bug Bounty to $1.5 Million
     
  2. holydude macrumors regular

    Joined:
    Oct 13, 2013
    #3
    Why should not this be legal ?
     
  3. AppleMark macrumors 6502a

    AppleMark

    Joined:
    Jun 17, 2009
    Location:
    The CCTV Capital of the World
    #4
    Hmmm... $1.5M from Zerodium, or [up to] $200,000 from Apple.... Let me think...
     
  4. djcerla macrumors 65816

    djcerla

    Joined:
    Apr 23, 2015
    Location:
    Italy
    #5
    Weaponized iOS exploit: $1.500.000
    Weaponized Android exploit: $200.000

    1500/200 = 7.5x sounds about right as a difference in security and value of the two platforms.
     
  5. shaunp macrumors 65816

    Joined:
    Nov 5, 2010
    #6
    Sounds like the FBI and CIA will be get that golden key after all.....
     
  6. Peace macrumors Core

    Peace

    Joined:
    Apr 1, 2005
    Location:
    Space--The ONLY Frontier
    #7
    "Rather than report the vulnerabilities to Apple, Zerodium said that it would sell the exploit to its customers, which include major technology, finance, and defense corporations, as well as government agencies."

    Did anybody not see this part ?
     
  7. djcerla macrumors 65816

    djcerla

    Joined:
    Apr 23, 2015
    Location:
    Italy
    #8
    From Ars Technica:

     
  8. SgtPepper12 macrumors 6502a

    SgtPepper12

    Joined:
    Feb 1, 2011
    Location:
    Germany
    #9
    Very simple: Government agencies may profit from it.
     
  9. hortod1 macrumors regular

    hortod1

    Joined:
    Jan 26, 2009
    #10
    Hopefully, the way this will work, is some well-to-do company sympathetic to Apple or invested in its security will buy it and sell the exploits back to Apple for whatever they spent on it (assuming Zerodium wouldn't sell it to Apple).

    Apple then releases an update to fix the exploit the next day.
     
  10. Hanzu Lao Suspended

    Hanzu Lao

    Joined:
    Aug 24, 2016
    #11
    If i sold a vulnerability of you home alrm system to someone would you like that?
     
  11. symphara macrumors 6502a

    Joined:
    Nov 21, 2013
    #12
    Android is open source, so it's easier to look for security flaws.

    In the meantime, Apple's source code includes things such as the goto fail bug, which speaks volumes about its security and value, and volumes about Apple's code review and sensitive code change practices.
     
  12. Abazigal macrumors 604

    Abazigal

    Joined:
    Jul 18, 2011
    Location:
    Singapore
    #13
    Just because I don't like something doesn't automatically make it illegal.
     
  13. Hanzu Lao Suspended

    Hanzu Lao

    Joined:
    Aug 24, 2016
    #14
    Strange, because in this case the implications of such business model aren't very user friendly.
     
  14. djcerla macrumors 65816

    djcerla

    Joined:
    Apr 23, 2015
    Location:
    Italy
    #15
    Zerodium founder Chaouki Bekrar:

    "Prices are directly linked to the difficulty of making a full chain of exploits... Asked why a string of iOS exploits commanded 7.5 times the price of a comparable one for Android he said: "That means that iOS 10 chain exploits are either 7.5 x harder than Android or the demand for iOS exploits is 7.5 x higher. The reality is a mix of both."
     
  15. VulchR macrumors 68020

    VulchR

    Joined:
    Jun 8, 2009
    Location:
    Scotland
    #16
    My thoughts exactly. This is a national security issue, not some business deal. We have the Patriot Act, but no legal requirement to report potential security vulnerabilities to the companies that make hardware and software?

    Anybody who takes this 'bounty' should be held legally liable, along Zerodium, for any damages caused by a customer exploiting a bug...
     
  16. springsup macrumors 6502a

    springsup

    Joined:
    Feb 14, 2013
    #17
    All of this buying and selling of exploits amounts to a conspiracy to invade your property and your life.

    There isn't a legitimate use for this information, which is why they all call themselves "researchers". Government has their own mechanisms. We absolutely should not farm out security to private contractors who are allowed to amass catalogues of undocumented exploits to important infrastructure. That would be totally ******* crazy.
     
  17. Abazigal macrumors 604

    Abazigal

    Joined:
    Jul 18, 2011
    Location:
    Singapore
    #18
    Could the act of selling an iPhone hack make you an accessory or accomplice to a crime if that hack was subsequently used to break the law? I confess that I am not knowledgeable enough to comment in that regard.

    The closest analogy I can think of is that it would not be against the law to have the keys to your house duplicated, though it would certainly be breaking the law if I decided to use those keys to break into your house to burgle it. The only reasonable course of action you could take is to have all your locks changed.
     
  18. leman macrumors 604

    Joined:
    Oct 14, 2008
    #19
    I am also wondering: is this even legal? I mean, we are talking abut sensitive information that can affect privacy and safety of millions of people. Can you simply 'sell' something like that?
     
  19. Wondercow macrumors 6502a

    Joined:
    Aug 27, 2008
    Location:
    Toronto, Canada
    #20
    When did "not user friendly" equate to "illegal"?
     
  20. symphara macrumors 6502a

    Joined:
    Nov 21, 2013
    #21
    You mistakenly interpret this as a difference in security, where it could simply reflect a price difference in the equipment required to discover security flaws.

    For all we know, iOS could have many more security flaws that Android has, but they're more expensive to find due to its closed-source aspect.

    Apple has shown itself careless and cavalier with security flaws both on OSX and iOS, and coasts on its "security through obscurity" belief, which is hardly any security at all.
     
  21. Dagless macrumors Core

    Dagless

    Joined:
    Jan 18, 2005
    Location:
    Fighting to stay in the EU
    #22
    Well this is better than the founder of modern day VR donating money to an alt-right group to troll the internet.
     
  22. djcerla macrumors 65816

    djcerla

    Joined:
    Apr 23, 2015
    Location:
    Italy
    #23
    security through obscurity... what obscurity? iOS has a BILLION devices in use.

    Zerodium's CEO words can't be more clear, let's requote them: "That means that iOS 10 chain exploits are either 7.5 x harder than Android or the demand for iOS exploits is 7.5 x higher. The reality is a mix of both"
     
  23. Hanzu Lao Suspended

    Hanzu Lao

    Joined:
    Aug 24, 2016
    #24
    And in this analogy you can't just change the locks since you have no idea what is specifically wrong with the lock. That's why this is not very good. No one with good intentions would come to this zerodium and give them an exploit. If a find something i report it to the the company that made it and i make my device and all devices more secure.

    Anyone who will deal with this "company" are immoral ***** in only for the money.
     
  24. indychris macrumors 6502

    indychris

    Joined:
    Apr 19, 2010
    Location:
    Fort Wayne, IN
    #25
    You know, if Apple played their cards right, they could contract someone to work on their behalf and get $1.5Million of of Zerodium's money and directly benefit Apple. In fact, a truly conniving company could create a hidden 'vulnerability', sell it to Zerodium, fix the code right away and sink the potentially sabotaging company.
     

Share This Page