Well, there's some good news for hackers and vulnerability hunters, though terrible news for tech manufacturers!
Exploit vendor Zerodium is now willing to offer significantly higher payouts for full, working zero-day exploits that allow stealing of data from WhatsApp, iMessage and other online chat applications.
Zerodium—a startup by the infamous French-based company Vupen that buys and sells zero-day exploits to government agencies around the world—said it would now pay up to $2 million for remote iOS jailbreaks and $1 million for exploits that target secure messaging apps.
Previously, Zerodium was offering $1.5 million for persistent iOS jailbreaks that can be executed remotely without any user interaction (zero-click)—but now the company has increased that amount to $2 million.
The company is now offering $1.5 million for a remote iOS jailbreak that requires minimal user interaction (i.e., single-click)—the amount has increased from $1 million.
Zerodium has also doubled the price for remote code execution (RCE) exploits that target secure-messaging apps like WhatsApp, iMessage, and SMS/MMS apps for all mobile operating systems, making it 1 million from $500,000.
However, the price for zero-day exploits for popular encrypted app Signal that's widely used by many technologists, journalists, and lawyers remained at $500,000, same as before.
Other Zero-Day Buyout Offers
Here's the list of revised prices announced Monday by Zerodium for a variety of other exploits:
The hike in the price is in line with demand and the tougher security of the latest operating systems and messaging apps, as well as to attract more researchers, hackers and bug hunters to seek complex exploit chains.
The amount paid by Zerodium to researchers for acquiring their original zero-day exploits depends on the popularity and security level of the affected software or system, as well as the quality of the submitted exploit, like is it a full or partial chain, does it affect current versions, reliability, bypassed exploit mitigations, process continuation and so on.
To claim the prize money, your research must be original and previously unreported. Zerodium also said that the company is willing to pay even higher rewards to researchers for their exceptional exploits or research.
Hackers will get the payout within a week of submitting the zero-day exploits along with a valid working proof-of-concept.