Bounty programmes are big business online, with the latest interest in iOS 10 bringing rewards to a whole new level. $1.5m is up for grabs to any talented hackers out there – but Apple isn’t paying.
Zerodium has issued its biggest bounty yet, as iOS 10 receives the full glare of the watching public.
A good way for companies to receive both problems and solutions to their software already in the wild, bounties serve a valuable purpose. For example in May, Instagram paid out $10,000 to a 10-year-old child who discovered a minor flaw in its back-end.
Instagram has paid out $4.3m in total to 800 people since it started its bounty programme, but Zerodium is looking to increase the average award of under $6,000 to a whopping $1.5m for its own programme.
Last year, the same company offered $1m for discoveries of iOS 9 flaws, meaning that interest in access points that allow spying on users is really on the up. Android is considered easier to hack, so its reward is just $200,000.
“We’ve increased the price due to the increased security for both iOS 10 and Android 7, and we would like to attract more researchers all year long, not just during a specific bounty period as we did last time,” said Zerodium founder Chaouki Bekrar to Kaspersky Labs.
Launched just over a year ago, the company has already issued $6.5m in rewards, primarily for mobile operating system vulnerabilities, according to Bekrar.
The company is far from altruistic though, according to security expert Graham Cluley, who said Zerodium can sell on the discovered vulnerabilities “to governments and intelligence agencies”. This can be done to “spy on suspected criminals, terrorists, foreign nations and other people they want to keep tabs on”.
“Who loses out?” asked Cluley. “Well, we all do – apart from Zerodium, the intelligence agency and the guy who picks up the pay cheque.
“Zerodium doesn’t share details of the exploit with vendors like Apple, Google, Microsoft or Adobe, who might be able to fix the security hole to make our devices and communications safer.”