Mobile operating system makers often find themselves engaged in a cat and mouse game with security researchers and hackers. With each successive OS release, it becomes a bit more difficult to uncover exploits which makes them all the more valuable.
Companies like Apple and Google would love for researchers to disclose vulnerabilities directly to them so they can be patched. As a token of their appreciation, the person or group that finds and reports a flaw often gets a monetary reward and praise for their good deed.
When it comes to disclosure, however, the hacker or researcher that finds a flaw has a couple of different options. They can keep it to themselves, “do the right thing” and submit it to the OS maker in hopes of a reward, sell it on the black market or offer it up to an “exploit broker” like Zerodium which sells exploits to various government agencies, technology firms, defense corporations and so on.
Why go with the latter, you ask? One word – money.
Zerodium, for example, recently said it would offer up to $1.5 million to anyone that can successfully demonstrate a remote jailbreak of Apple’s latest mobile operating system, iOS 10.
As Wired points out, this isn’t the first time Zerodium has offered a big payout. Last fall, the controversial company offered a limited-time $1 million bounty for an iOS vulnerability. Apparently only a single group claimed the prize. This year, Zerodium sweetened the pot even further by increasing the payout to the aforementioned $1.5 million and making it permanent (no limited-time offer).
Image credit: Melpomene / Shutterstock