NEWS ANALYSIS: The market for iOS bugs has hit a new high, with Zerodium upping its top reward by $500,000, but not all bug bounties are the same.
The market for iOS bug bounty rewards now stands at an all-time high of $1.5 million, thanks to an increased payout schedule from Zerodium. On Sept. 29, the company updated its bug bounty payout ranges, increasing the top iOS reward, which previously stood at $1 million.Zerodium is offering the $1.5 million iOS bug bounty award for a remote jailbreak on the recently released iOS 10.In September 2015, Zerodium announced that it would award a $1 million prize for a browser-based, untethered jailbreak of Apple’s iOS 9 mobile operating system. The following month, Zerodium revealed that it had received a winning submission, which it awarded the $1 million prize.The newly updated Zerodium payout schedule, which includes bugs for operating systems, browsers, plug-ins, servers, applications and mobile devices, is not a point-in-time contest, but a year-round effort to solicit bug submissions from security researchers. Zerodium’s previous $1 million prize for an iOS bug was for a time-limited contest. The regular going rate for the top iOS bounty at Zerodium prior to Sept. 29 was in fact $500,000.
At $1.5 million, Zerodium’s top iOS bug bounty is significantly higher than Apple’s own top bug bounty, which stands at $200,000. It was at the Black Hat USA 2016 event in August that Ivan Krstic, head of Apple security engineering and architecture, formally announced the debut of his company’s bug bounty program.
Apple’s top bug bounty award for $200,000 is for secure boot firmware components on iPhone devices, which is not the area that Zerodium is focused on.”For the record, @Zerodium iOS bounty does NOT compete with @Apple as we focus on browsers+kernel while they focus on secure boot and enclave,” Chaouki Bekrar, founder of Zerodium, wrote in a Twitter message.The market for high-paying iOS bug bounties has become increasingly active in recent months. Security firm Exodus Intelligence announced in August that it will offer researchers up to $500,000 for a zero-day iOS vulnerability.Trend Micro’s Zero Day Initiative (ZDI) is also offering a large bug bounty for iOS. At the upcoming mobile Pwn2Own event—being held Oct. 26-27 at the PacSec Security Conference in Tokyo—ZDI is offering a $250,000 bounty for an iOS zero-day. The ZDI Pwn2Own iOS bug bounty has a very specific target though: successfully forcing an iPhone to unlock.Payout for Android Bugs Increase TooNot only did Zerodium increase the top payout for an iOS bug, but the company also increased its top payout for Google’s Android. On Sept. 29, Zerodium increased its bounty for an Android 7 remote jailbreak from $100,000 to $200,000. As it turns out though, Google’s top bug bounty prize for Android is the same amount. Google is running the Project Zero bug bounty program until March 14, 2017, which offers a top prize of $200,000.While the top prizes for iOS and Android vulnerabilities are continuing to go higher, it’s important to note that the average bug bounty payout is far less than those figures. Bug bounty firm Bugcrowd’s 2016 State of the Bug Bounty report found that the average bug bounty payout is $505.79.At the high end of the spectrum, Google and Apple have both invested heavily to secure their respective mobile operating systems from remote jailbreaks. The amount of time and effort required to bypass those systems is a nontrivial matter, and the high payouts are a reflection of that. On the other end of the spectrum, there is still a lot of “low hanging fruit,” with bugs of all sorts that security researchers can more easily find in applications from various vendors.While not every vulnerability is worth $1.5 million, bugs do have value, and rewarding researchers for finding them will continue to be a growing business for years to come.Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.