Last week Apple made its belated entrance into the bug bounty market, announcing a top award of $200,000 for major flaws in iOS, but Cook & Co have been comprehensively outbid.
On Tuesday, exploit trading firm Exodus Intelligence said it is willing to pay $500,000 for a major flaw in iOS 9.3 and above – and the exploit to use it. Researchers can either take a lump sum or accept a smaller sum and quarterly payments until the exploit is found, which the company's founder told The Reg could add up to even more.
"The majority of our clients are defensive vendors, penetration testers, and red/blue teams," said Logan Brown, president of Exodus.
Apple exploits get the highest reward, reflective of their scarcity. Microsoft and Google's bug bounty programs will also need to up their rewards to match Exodus's prices.
[...] Security experts are worried that the hoarding of serious flaws will have a deleterious effect on overall security for everyone. Exodus attempted to reassure people on this front by beginning a vulnerability disclosure process back in February, but it only discloses after it has extracted the "maximum value for our customers."
(Score: 4, Funny) by archfeld on Thursday August 11 2016, @11:53PM
Sell it to Exodus for the lump sum, wait about 14 days AFTER you get paid, then get a lawyer to submit the flaw to Apple and accept payment for you. Thus you can remain anonymous and hopefully safe from the hit squad Exodus might send after you :)
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
(Score: 0) by Anonymous Coward on Friday August 12 2016, @09:37AM
Parent is marked funny, but seriously, why not sell to both, if both (and even others) are willing to be your customers? Or is there small writing saying something about they want to be the exclusive customer of the exploit?