Pierluigi Paganini August 10, 2016

The bug hunting company Exodus announced its bug bounty program. Who will pay more for a 0-day exploit? Reflecting on the zero-day market.

Almost every IT giant has launched its bug bounty program, the last in order of time is Apple that last week announced the initiative during the Black Hat Conference.

How much is a vulnerability in Apple product?

The awards are very interesting, bug hunters can earn up to $200,000 for a critical vulnerability affecting the secure boot firmware components, up to $100,000 for a flaw that could be exploit to extract sensitive data protected by the Secure Enclave, up to $50,000 for arbitrary code execution with kernel privileges and unauthorized access to iCloud account data, and up to $25,000 for access from a sandboxed process to user data outside the sandbox.

But we all know that zero-day market is crowded by private firms and nation-state actors that could decide to pay much more for an exploit of unknown flaws in most popular products.

The zero-day broker company Exodus Intelligence has announced its new acquisition programme for both vulnerabilities and exploits.

Today, Exodus Intelligence has unveiled the new Research Sponsorship Program (RSP), focused on acquiring vulnerability research and exploits from the global cybersecurity research community. While continuing to acquire Zero-Day research, the RSP is the first widely available acquisition program to offer bounties for exploits that exercise N-Day vulnerabilities.” reads the official statement released by the firm.

“Exodus is also excited to be rolling out a new bonus structure for the acquisition of research that leads to Zero-Day vulnerabilities.”

Exodus will share details of vulnerabilities and exploits to customers who pay a subscription fee of roughly $200,000 per year.

Let’s compare the awards offered by the company with the Apple ones.

iOS vulnerabilities are paid by Exodus more than double Apple’s maximum payout, the bug-hunting company will pay a maximum of $500,000 for zero-day in iOS 9.3 or above.

Now it is clear that a bug hunter searching for a remuneration for his efforts will contact companies like Exodus, instead IT giants like Apple because their bug bounty programs pay more for 0-day exploits.

There is also another incentive for bug hunters that will contact Exodus, the company will pay an extra cash for every quarter that the zero-day is still effective.

“For each new Zero-Day acquired, Exodus will offer the researcher an initial payment, received after the request is reviewed and accepted. Once accepted, the researcher could receive payments every quarter the Zero-Day exploit is still alive. The specific values of the initial payment and quarterly bonus will be included in an offer presented to the researcher, following the review of their work. Additionally, Exodus also offers payment in the form of Bitcoin for Zero-Day research.” continues the announcement.

Speaking about Apple zero-day exploits, let’s remind that last year the zero-day vendor Zerodium paid a $1 million payout for disclosing a iOS zero-day vulnerability that could allow an attacker to remotely hack any Phone.

The bug bounty program launched by Exodus is open, everyone can submit vulnerabilities to the company, meanwhile, other programs are by invitation-only.

For further information on Exodus’ program give a look at the new RSP website.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – bug bounty program, hacking)