Average payout for critical vulnerabilities on HackerOne: $3,384
Android zero days (previously unseen vulnerabilities that can be used by hackers) are now worth more on the exploit market than iOS vulnerabilities for the first time, according to broker Zerodium, which has updated its price list to reflect what it says is a “flood” of iOS exploits.
Zerodium says it is now offering $2.5 million for a “full-chain”, zero-click exploit of the Android operating system that has persistence (continues to be usable by an attacker after the OS is rebooted). It has also increased payouts for Whatsapp and iMessage exploits by $500,000.
It has halved the price it is paying hackers for Apple iOS full chain (1-Click) with persistence exploits to $500 from $1 million, also halving its fee for iMessage remote code execution with local privilege escalation.
The move comes a week after Google revealed a series of so-called watering hole websites were being used by an unknown APT to hack iPhones, using up to 17 unpatched vulnerabilities and zero days — and follows Apple’s own decision to overhaul its bug bounty programme.
Apple now offers a $1 million bounty for proof of a zero-click, full chain kernel code execution attack; a sharp increase from $200,000, and has opened the programme up to all white hats, rather than it being invitation-only. The escalating price hikes on both the white hat and black hat side of the table represent something of a mobile operating system arms race.
Read this: Thousands of Fully Patched iPhones Exploited for Years, says Google – Who is the Mystery Attacker?
With Android being open source, it is arguably easier to identify bugs but also to harden the source code, rather than it being a closed ecosystem.
The decision by Zerodium comes as a company that offers a “perfect facsimile” of iOS for bug hunters to use, Corellium, is being sued by Apple.
Apple argues that Corellium, which is much admired by those seeking to find vulnerabilities in its iOS, “makes no effort whatsoever to confine use of its product to good-faith research and testing of iOS.”
While both exploit brokers like Zerodium and bug bounty programmes tout vastly increased payouts, the reality is often rather different: the average bounty paid for critical vulnerabilities in 2018 on the HackerOne platform was $3,384: while a 48 percent increase over last year’s average of $2,281, even a string of critical vuln. finds is unlikely to create many millionaires.