Pierluigi Paganini September 04, 2019

Zero-day broker Zerodium has updated the price list for both Android and iOS exploits, with Android ones having surpassed the iOS ones for the first time.

For the first time, the price for Android exploits is higher than the iOS ones, this is what has emerged from the updated price list published by the zero-day broker Zerodium.

A zero-click exploit chain for Android would be rewarded with up to $2.5 million, while an exploit chain for iOS only $2 million.

“Android security is improving with every new release of the OS thanks to the security teams of Google and Samsung, so it became very hard and time consuming to develop full chains of exploits for Android and it’s even harder to develop zero click exploits not requiring any user interaction,” explained Zerodium’s CEO Chaouki Bekrar.

Zerodium also announced it has increased the payouts for eligible iMessage and WhatsApp 0-click exploits. The company also reduced payouts for iOS 1-click exploits.

RCE + LPE exploits without persistence for iMessage and WhatsApp could be rewarded with a $1,500,000 payout (+50% previous price tag).

“ZERODIUM payouts for eligible zero-day exploits range from $2,000 to $2,000,000 per submission.” states Zerodium.

“The amounts paid by ZERODIUM to researchers to acquire their original zero-day exploits depend on the popularity and security level of the affected software/system, as well as the quality of the submitted exploit (full or partial chain, supported versions/systems/architectures, reliability, bypassed exploit mitigations, default vs. non-default components, process continuation, etc),” 

Zerodium will also potentially pay higher payouts for “exceptional” exploits that meet its “highest requirements.”

The price for WhatsApp zero-click exploits increased because the demand for such kind of exploits is growing.

In March 2019, the exploit acquisition firm offered up to $500,000 for VMware ESXi and Microsoft Hyper-V vulnerabilities. At the time, the offer for Microsoft Hyper-V exploit represented a novelty in the Zerodium’s offer, it was the first time that the zero-day broker included a payout for this kind of exploits.

Pierluigi Paganini

(SecurityAffairs – Zerodium, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]