Breaking News

Exodus announces a bug bounty program. Who will pay more for a zero-day?

The bug hunting company Exodus announced its bug bounty program. Who will pay more for a 0-day exploit? Reflecting on the zero-day market.

Almost every IT giant has launched its bug bounty program, the last in order of time is Apple that last week announced the initiative during the Black Hat Conference.

How much is a vulnerability in Apple product?

The awards are very interesting, bug hunters can earn up to $200,000 for a critical vulnerability affecting the secure boot firmware components, up to $100,000 for a flaw that could be exploit to extract sensitive data protected by the Secure Enclave, up to $50,000 for arbitrary code execution with kernel privileges and unauthorized access to iCloud account data, and up to $25,000 for access from a sandboxed process to user data outside the sandbox.

But we all know that zero-day market is crowded by private firms and nation-state actors that could decide to pay much more for an exploit of unknown flaws in most popular products.

The zero-day broker company Exodus Intelligence has announced its new acquisition programme for both vulnerabilities and exploits.

Today, Exodus Intelligence has unveiled the new Research Sponsorship Program (RSP), focused on acquiring vulnerability research and exploits from the global cybersecurity research community. While continuing to acquire Zero-Day research, the RSP is the first widely available acquisition program to offer bounties for exploits that exercise N-Day vulnerabilities.” reads the official statement released by the firm.

“Exodus is also excited to be rolling out a new bonus structure for the acquisition of research that leads to Zero-Day vulnerabilities.”

Exodus will share details of vulnerabilities and exploits to customers who pay a subscription fee of roughly $200,000 per year.

Let’s compare the awards offered by the company with the Apple ones.

iOS vulnerabilities are paid by Exodus more than double Apple’s maximum payout, the bug-hunting company will pay a maximum of $500,000 for zero-day in iOS 9.3 or above.

Now it is clear that a bug hunter searching for a remuneration for his efforts will contact companies like Exodus, instead IT giants like Apple because their bug bounty programs pay more for 0-day exploits.

There is also another incentive for bug hunters that will contact Exodus, the company will pay an extra cash for every quarter that the zero-day is still effective.

“For each new Zero-Day acquired, Exodus will offer the researcher an initial payment, received after the request is reviewed and accepted. Once accepted, the researcher could receive payments every quarter the Zero-Day exploit is still alive. The specific values of the initial payment and quarterly bonus will be included in an offer presented to the researcher, following the review of their work. Additionally, Exodus also offers payment in the form of Bitcoin for Zero-Day research.” continues the announcement.

Speaking about Apple zero-day exploits, let’s remind that last year the zero-day vendor Zerodium paid a $1 million payout for disclosing a iOS zero-day vulnerability that could allow an attacker to remotely hack any Phone.

The bug bounty program launched by Exodus is open, everyone can submit vulnerabilities to the company, meanwhile, other programs are by invitation-only.

For further information on Exodus’ program give a look at the new RSP website.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – bug bounty program, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

39 mins ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

4 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

18 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.