American information security company Zerodium is currently offering payouts of up to $1.5 million for original and unreported vulnerabilities with fully functional exploits on major operating systems, software and/or devices. With this figure, exploits on iOS 10 can be the most profitable of payouts.
Founded in 2015, Zerodium's main business focuses on acquiring zero-day vulnerabilities and exploits and creating protective security measures and recommendations for them. The information on vulnerabilities and its corresponding protective measures will then be reported to Zerodium's clientele, which are mostly major corporations within the technology, finance and defense sectors. The company also has dealings with government organizations.
Zerodiudm's zero-day exploit acquisition program covers anything from phpBB to iOS with varying payouts. Zero-day exploits on Windows, MacOS and Linux vulnerabilities can net security researchers up to $30,000 while the ones on Android can secure up to $200,000.
Reporting exploits for browsers such as Chrome, Internet Explorer and Edge, as well as Safari, can land checks as high as $80,000.
"Any acquisition made by Zerodium will be paid in full and in one installment via a bank/wire transfer," the company specifies on its FAQ page. "Zerodium may also pay additional bonuses in one or more installments if the research meets specific lifespan requirements."
Zerodium reports that it has spent over $6.5 million in acquiring the vulnerabilities and exploits during the course of the last 12 months. Moreover, the biggest amounts paid were for iOS and Android.
The $6.5 million payout includes last year's $1 million bounty that Zerodium paid to a team who successfully made a remote browser-based untethered iOS 9.1/9.2b jailbreak. After the payout, Zerodium then decreased the iOS reward down to $500,000 before tripling it in the current program.
"We've increased the price due to the increased security for both iOS 10 and Android 7, and we would like to attract more researchers all year long, not just during a specific bounty period as we did last time," says Zerodium founder Chaouki Bekrar.
Note that prior to Zerodium, Bekrar also founded the now-defunct Vupen Security, a French information security company that also specialized in discovering zero days in software and selling the information to intelligence and law enforcement agencies.
Apple itself is also putting up bounties for exploits in its mobile platform. Cupertino announced its own exploit bounty program last month at Black Hat, an annual hacker conference. Researchers can net a maximum of $200,000 for exploits found in iOS 10. Secure boot firmware exploits have the highest payout.