back to article $200,000 for a serious iOS bug? Pfft, we'll give you $500,000, says exploit broker Exodus

Last week Apple made its belated entrance into the bug bounty market, announcing a top award of $200,000 for major flaws in iOS, but Cook & Co have been comprehensively outbid. On Tuesday, exploit trading firm Exodus Intelligence said it is willing to pay $500,000 for a major flaw in iOS 9.3 and above – and the exploit to use …

  1. Mephistro
    Devil

    $60000 for a zero day in Flash???

    These guys will go bankrupt in three months at most!

  2. as2003

    Good.

    The bug bounties offered by these billion dollar companies is pitiful. $10,000 for a flaw that could ruin your company overnight? What are they thinking?!

    The sooner they start offering more realistic bounties, the sooner we can shut down the black market for these exploits, and stem to flow of these zero-days to criminals and governments with malign intent.

    1. Anonymous Coward
      Anonymous Coward

      Re: Good.

      I don't think you understand how supply and demand works. The lower the supply of exploits, the higher the price. If companies offer higher bounties and make exploits more scarce, the blackhats will be willing to pay more for one, and the companies will be forced to raise the bounties even higher. Should they pay $5 million per exploit if the black market is willing to pay $6 million?

      1. as2003

        Re: Good.

        > I don't think you understand how supply and demand works.

        Bud, I'm not sure you do either. The maximum a black hat will pay for a vulnerability is not determined by how much Microsoft is willing to pay for it; it's determined by how much they think they can make from the exploit.

        We have to assume there is already an efficient market for these exploits and that the prices already discussed represent close to the maximum that black hats are willing to pay.

      2. Bronek Kozicki

        Re: Good.

        If there is plenty supply of exploits on a given platform that means two things 1) the exploits are cheap and 2) platform is inherently insecure. While the law of supply and demand would necessarily focus on the first point (otherwise whoever is willing to pay for exploits would go bankrupt, and yes I'm also puzzled why Flash exploits rate is far more than $100 a pop), the second point indicates that the vendor does not care (enough), which also means that either they are short step to bankrupcy or, more likely, their business model factored that security exploits are not going to ruin them over night.

        Yes, the exploits might ruing their customers, but did you read any of the EULAs of the software you are using? Yes I am being cynical, but that's the reality we live in.

    2. Anonymous Coward
      Anonymous Coward

      Re: Good.

      The bug bounties offered by these billion dollar companies is pitiful. $10,000 for a flaw that could ruin your company overnight? What are they thinking?!

      Really? I don't see anyone who committed themselves to the Microsoft brand end their use of their products because of a new vulnerability, however severe. Microsoft knows that long term users are by now more or less numb to the fantastic amount of fixes that land every week on their doorstep - they're not worried that such companies would suddenly walk away.

      The only thing happening here is that there's yet again a US vulture that is quite happy to make a profit by creating risk to users by driving up the cost of security information, because, hey, capitalism trumps decency every time. Yes, I used the word "Trump" - accidental but quite to the point too.

      1. Sandtitz Silver badge
        Thumb Down

        Re: Good.

        "Really? I don't see anyone who committed themselves to the Microsoft brand end their use of their products because of a new vulnerability, however severe. Microsoft knows that long term users are by now more or less numb to the fantastic amount of fixes that land every week on their doorstep"

        Replace Microsoft with Android and replace the "fantastic amount of fixes" with "fantastic amount of zero fixes". The hordes know nothing about security and don't care - Android ecosystem is the living proof.

        I've noticed a fantastic amount of fixes landing on my Linux installations every week, and I'm content in having those fixes than not having them.

      2. as2003

        Re: Good.

        > I don't see anyone ... end their use of their products because of a new vulnerability,

        Ok, so Microsoft isn't a great example, but just off the top of my head, give Mt. Gox or Ashley Madison a call, see how much they would have been willing to pay to get their hands on the bugs that wiped them out.

        Every other week I read a responsible disclosure of some bug that could have wiped out or seriously damaged a business, and then in the footnotes it'll say they got a bounty of $2,000, or $10,000, or they broke some rule and the company decided to not pay out anything.

        > yet again a US vulture that is quite happy to make a profit ... because capitalism trumps decency every time

        Until bug bounties are competitive, these pig-dog-capitalist bug-brokerages that you despise will thrive. My point is that bug bounties programmes need to offer more. A lot more. This will also have the fantastic side-effect of compelling software producers to give much more of a shit about security. Maybe once bug bounty programmes start paying (what I would consider to be) reasonable rates, security would no longer be an afterthought, but a primary concern.

        1. Anonymous Coward
          Anonymous Coward

          Re: Good.

          So should a zero day is found in Linux in 2017 that exposes all web-servers to root access, who's going to stump up the $5 million to beat it?

    3. Anonymous Coward
      Anonymous Coward

      Re: Good.

      > What are they thinking?!

      I'd guess things along the lines of 'Adobe are still raking it in' or 'Larry's got a shed load of yachts' and 'nah pfff'.

  3. Anonymous Coward
    Anonymous Coward

    Hmm... It's been a long time since my computer forensics course, but pretty confident that in the UK selling exploits like that, as opposed to disclosure, will get you on extremely shaky legal grounds. No doubt their prices reflect that.

    And we're not even considering the conscientious aspect--and frankly, white hats quite rightly take pride in their high ethical standards. No doubt their price reflects that too.

    Quick look reveals these companies¹ make a significant part of their income from selling the vulns to various government agencies (US and European, very likely others too). So in the end it's you, the taxpayer, funding their business.

    ¹ Exodus is one of a growing number of them, others are Zerodium (ex-VUPEN), Hacking Team, Endgame Systems, ReVuln, ...

  4. Anonymous Coward
    Anonymous Coward

    Wot! No Android bounty on the list?

    Can those of us lucky enough to use this OS sleep well at night or are there so many holes in it that make many American roadside signs that are riddled with gunshot holes look solid as a rock?

    1. Anonymous Coward
      Anonymous Coward

      Re: Wot! No Android bounty on the list?

      Not sure if I should upvote or downvote you :-)

      It is true there are vulnerabilities but you sound like iOS fanboy.

      Disclaimer - I am an Android phone and tablet user with Macbook

      1. Anonymous Coward
        Anonymous Coward

        Re: Wot! No Android bounty on the list?

        Not sure if I should upvote or downvote you :-)

        It is true there are vulnerabilities but you sound like iOS fanboy.

        He didn't mention anything Apple, though, so that seems to be more in your own mind. Just saying..

  5. lglethal Silver badge
    Go

    Out of curiousity

    Who exactly are Exodus intelligence's customers?

    "...only discloses after it has extracted the "maximum value for our customers." " is a rather worrying statement...

    On the topic of bounties, if the process go up and it starts costing MS, Apple and co. significant cash then maybe they will start investing more cash into designing secure systems in the first place, i.e. letting the creators spend a bit more time plugging the holes instead of rushing out shipping to man+dog... It's only when it starts hitting the bottom line that companies take security seriously...

    1. Anonymous Coward
      Anonymous Coward

      Re: Out of curiousity

      > Who exactly are Exodus intelligence's customers?

      According to an article I read in La Repubblica some time ago, backed by a quick perusal of those companies webpages, that's almost entirely governments.

      As someone told me once, just because you're paranoid, it doesn't mean they're not after you. :-(

  6. anothercynic Silver badge
    Facepalm

    "In check, Western Union and Bitcoin"

    Check? CHECK?? We're British. It's CHEQUE. Nothing excuses the Americanism thereof.

    *UGH*

    1. Sandtitz Silver badge
      Mushroom

      Re: "In check, Western Union and Bitcoin"

      "Check? CHECK?? We're British. It's CHEQUE. Nothing excuses the Americanism thereof."

      No, we are not British.

      The author resides in US and Exodus is a US company so they're going to give checks that say 'check'. Does it piss you off? Good.

      1. Anonymous Coward
        Anonymous Coward

        Re: "In check, Western Union and Bitcoin"

        >The author resides in US and Exodus is a US company so they're going to give checks that say 'check'.

        No, they're going to pay by cheque. It will probably be a grey cheque, is very unlikely to have either 'check' or 'cheque' written on it and certainly won't be saying anything.

        1. Anonymous Coward
          Anonymous Coward

          Re: "In check, Western Union and Bitcoin"

          FFS. Now you know the reason why it's a dying form of payment..

          :)

    2. Anonymous Coward
      Anonymous Coward

      Re: "In check, Western Union and Bitcoin"

      $500,000 is paid by check, £500,000 is paid with a cheque.

      This payment is $500,000 so it is paid by check.

  7. The First Dave

    I think you will find that when you try to claim one of these bounties, they will say something (in a Nigerian accent) along the lines of: "Thanks, could you just confirm your bank details so we can make the transfer."

  8. Anonymous Coward
    Anonymous Coward

    500k??? ... Show me the money baby!

    Presumably Exodus will turn around and sell these exploits for a multiple to the big boys. Still sounds like good news for Indie researchers as 500-10k is such shit money from M$ / FB directly etc.

    But the concern is Exodus will hoard these exploits until they can extract maximum dollar? Good for them! Its about time cash-hoarding billionaire-dollar Privacy Deniers have to pay for data!

  9. Anonymous Coward
    Anonymous Coward

    Criminal Gangs

    Exodus can only afford to buy these if they are using them for criminal activity.

    No different than buying guns on the black market, there is no reason to have them other than to hurt others.

    Employees of Exodus are enemies of all people and should be eliminated.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon