A private company that buys software security bugs and exploits from hackers has said that it will stop rewarding developers of several types of iOS exploits because it simply has too many of them.
Zerodium is a well-known cybersecurity firm that pays to acquire exploits from third-party security researchers. In many cases, Zerodium's payouts are much, much higher than Apple's official bug bounty program.
We will NOT be acquiring any new Apple iOS LPE, Safari RCE, or sandbox escapes for the next 2 to 3 months due to a high number of submissions related to these vectors.
— Zerodium (@Zerodium) May 13, 2020
Prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future.
The company on Wednesday that it'll pressing pause on acquiring any more local privilege escalation, remote code execution or sandbox escape exploits "for the next two to three months due to a high number of submissions." Additionally, the company said that prices for certain types of iOS Safari one-click vulnerabilities will probably drop in the near future.
In a subsequent tweet, Zerodium founder Chaouki Bekrar said that iOS security is "f— cked," adding that the lack of persistence and a security mechanism called pointer authentication codes are the only two things keeping iOS's security from "going to zero."
iOS Security is fucked. Only PAC and non-persistence are holding it from going to zero...but we're seeing many exploits bypassing PAC, and there are a few persistence exploits (0days) working with all iPhones/iPads. Let's hope iOS 14 will be better.https://t.co/39Kd3OQwy1
— Chaouki Bekrar (@cBekrar) May 13, 2020
Part of that is likely because of global lockdowns and the fact that security researchers have more time on their hands. Another factor could be that iOS 13 was unusually buggy — a fact that led Apple software chief Craig Federighi to overhaul the development process for the next version of iOS.
"Let's hope iOS 14 is better," Bekrar said.
This isn't the first time that Zerodium has seen a glut of iOS exploit submissions. In September 2019, the company said that, for the first time, it would pay more for Android exploits than iOS ones due to an oversupply.
12 Comments
If half of the number of existing exploits on iOS is true than it is very concerning...
What's Zerodium's business model? How can they afford to pay millions of dollars for security exploits? Are they "good guys" using this information to make the world a safer place, or are they reselling these exploits to bad actors?
...or someone could just be looking to generate a dip in AAPL before making a buy.
Exploits and claims of exploits are not the same thing. The announcement in question seems to be trying hard to imply the former while really only speaking about the latter. For that matter, they could just be weary of spending money on claims that fail to pan out.