Software 'bug broker' Zerodium to stop buying iOS exploits due to oversupply

article thumbnail

A private company that buys software security bugs and exploits from hackers has said that it will stop rewarding developers of several types of iOS exploits because it simply has too many of them.

Zerodium is a well-known cybersecurity firm that pays to acquire exploits from third-party security researchers. In many cases, Zerodium's payouts are much, much higher than Apple's official bug bounty program.

The company on Wednesday that it'll pressing pause on acquiring any more local privilege escalation, remote code execution or sandbox escape exploits "for the next two to three months due to a high number of submissions." Additionally, the company said that prices for certain types of iOS Safari one-click vulnerabilities will probably drop in the near future.

In a subsequent tweet, Zerodium founder Chaouki Bekrar said that iOS security is "f— cked," adding that the lack of persistence and a security mechanism called pointer authentication codes are the only two things keeping iOS's security from "going to zero."

Part of that is likely because of global lockdowns and the fact that security researchers have more time on their hands. Another factor could be that iOS 13 was unusually buggy — a fact that led Apple software chief Craig Federighi to overhaul the development process for the next version of iOS.

"Let's hope iOS 14 is better," Bekrar said.

This isn't the first time that Zerodium has seen a glut of iOS exploit submissions. In September 2019, the company said that, for the first time, it would pay more for Android exploits than iOS ones due to an oversupply.

 

Latest News