‘Bug Broker’ Zerodium to Stop Buying iOS Exploits Due to Increased Submissions

Researchers often sell information regarding critical security vulnerabilities. They can either report to Apple and stake a claim in its bug-bounty program or sell the vulnerability to a ‘bug broker.’ Zerodium is one such company that acts as an intermediary between developers and buyers. Zerodium has now announced that it has stopped acquiring new Apple iOS, Safari RCE, or sandbox escapes for the next 2-3 months.

Typically, companies like Zerodium pay a lot more to the developers/researchers as compared to Apple’s Bug Bounty program. Moreover, iOS exploits are very valuable and hard to come by. The skewed demand and supply equation seems to have forced the company to pause accepting iOS submissions. Perhaps, researchers have more time in hand due to the lockdown and thus the submissions may have increased. Another explanation is that iOS 13 in itself is buggy and thus the high number of exploits.

In its tweet, Zerodium has also said that prices for “iOS one-click chains without persistence” will go down in the future. At the outset, it seems good that a private company has paused buying iOS exploits. However, it also speaks volumes about iOS 13’s bugs and security flaws. Apple’s SVP of Software Engineering, Craig Federighi has apparently advised a new approach aimed at reducing bugs on iOS 14. The changes extend to how Apple deals with its daily internal builds which are notorious for not being thoroughly tested.

Our Take

iOS is often regarded as a much safer alternative to Android. Things took a turn last year when the company paid more for an Android exploit as opposed to iOS. An earlier report claimed that Android phones have gotten tougher to crack than iPhones. In spite of Apple’s promises of user privacy and data security, security agencies have been able to crack iPhones. We hope that this changes with iOS 14 and the rise in iOS bugs/security flaws will become a thing of the past.