Skip to content ↓ | Skip to navigation ↓

It’s just a week since Apple announced its first-ever bug bounty for researchers who find vulnerabilities in its widely-used software and hardware, in the hope that it can provide better security and privacy to its millions of customers.

The Cupertino-based company made headlines for its belated entry into the bug bounty marketplace, offering up to $200,000 to researchers who uncover the most serious iOS flaws.

Although Apple has dragged itself late to the starting line compared to other high-profile tech firms like Google, Microsoft and Facebook, the news was welcomed – in particular because of recent attempts by law enforcement to “break” iPhone security to assist in their investigations.

While many are sympathetic to the law enforcement agencies trying to gather evidence for criminal investigations, concerns have been raised that if Apple itself isn’t properly informed of the security holes used to break iOS security, no patches will be made, and *all* iPhone users (criminal or otherwise) will be left at risk.

It’s at this point that exploit brokerage firm Exodus Intelligence enters the story.

Exodus is offering $500,000 ($300,000 more than the maximum offered by Apple) to anyone who can sell them a zero-day exploit for iOS.

Exploit price

Exodus isn’t doing this out of the goodness of their hearts, of course. They are a business. They are planning to sell details of any zero-day exploits they purchase from vulnerability researchers, and they’re planning – one assumes – to make a profit.

Which means that they believe there are people prepared to pay more than $500,000 for a zero-day exploit for iOS.

And remember this – what use is a zero-day exploit if Apple releases a security update that fixes it? At that point it becomes worth practically nothing.

No, to convince a customer that the zero-day exploit you are selling them is worth half a million dollars you need to assure them that you are not going to also share details with the one organisation capable of plugging the security hole – Apple.

The very real danger is that vulnerability researchers might be tempted to sell their exploit discoveries to third-parties rather than Apple directly because of the larger pot of money available. And there is a risk that as a result vulnerabilities will not get fixed by Apple, and might therefore be exploited by abusive governments, intelligence agencies and common criminals to spy upon innocent people.

Security flaws do need to get fixed. And vulnerability researchers do deserve to be rewarded for their expertise and hard work.

But it’s hard to understand how a free market for iOS zero day exploits is going to ensure that the majority of us will be left safer online.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.



Tripwire University
  • Brian

    Why not sell it to both and make $800,000 :)

    • swisssteve

      Surely $700’000 ???

  • swisssteve

    Ah, so this is a new type of business – vulnerability brokering.. You make a market in vulnerabilties and sell them to the highest bidder. (Probably already longtime available on the dark web). Its a bit like stealing the key to a car and then selling it to the highest bidder (who may or may not be the original owner – who is essentially being held to ransom).

  • disqus_Tgv8PPb9Oy

    Two things occur to me: first, how do you keep someone from selling it to Apple after they’ve sold it to you, and second, if I were in the position of being able to sell a zero-day flaw to some third party whose business model is to make money by selling it to anyone who comes up with the money, how do I know that I can trust such unscrupulous “businessmen” to come through with their payment to me?