Apple finally announced it was starting an official bug bounty program last week, offering rewards of up to $200,000 for researchers who find security flaws in the company’s products. But anyone who discovers an Apple vulnerability may be tempted to take it elsewhere, as exploit broker Exodus Intelligence is handing out a maximum of $500,000 for major flaws found in iOS 9.3 and above.
Apple had been a long-term holdout when it came to offering rewards for discovered security flaws. Now, it will pay $200,000 for the discovery of bugs in its secure boot firmware components, but the program will initially be invite-only – though anyone who discovers a major flaw will be asked to join.
Texas-based Exodus has a hit list of its most desired exploits for software that includes Chrome, Edge and Firefox, with iOS 9.3+ sitting at the top of the cash pile. Researchers who submit bugs can take the money in a lump sum or as a smaller amount along with quarterly payments for as long as the exploit is still alive. The company’s website says this can be paid by check, wire transfer, Western Union, or Bitcoin.
For providing them with details of vulnerabilities and working exploits, Exodus charges its customers a subscription fee of around $200,000 a year, according to Time. "The majority of our clients are defensive vendors, penetration testers, and red/blue teams," said Logan Brown, president of Exodus.
Speaking to Motherboard, Brown added that the half a million dollar payout is awarded to a full chain of vulnerabilities that attain remote code execution and the ability to persist on the device. “We do require a reliable exploit for the purchase, so our program differs from Apple, as they are interested in vulnerabilities in their security architecture, and do not require the exploit,” he said.
Exodus isn’t the only company offering huge rewards for iOS-related vulnerabilities. Zerodium announced last year that it would pay $1 million to developers who discover critical, exploitable flaws in iOS 9.