Researchers often sell information regarding critical security vulnerabilities. They can either report to Apple and stake a claim in its bug-bounty program or sell the vulnerability to a ‘bug broker.’ Zerodium is one such company that acts as an intermediary between developers and buyers. Zerodium has now announced that it has stopped acquiring new Apple iOS, Safari RCE, or sandbox escapes for the next 2-3 months.
Typically, companies like Zerodium pay a lot more to the developers/researchers as compared to Apple’s Bug Bounty program. Moreover, iOS exploits are very valuable and hard to come by. The skewed demand and supply equation seems to have forced the company to pause accepting iOS submissions. Perhaps, researchers have more time in hand due to the lockdown and thus the submissions may have increased. Another explanation is that iOS 13 in itself is buggy and thus the high number of exploits.
We will NOT be acquiring any new Apple iOS LPE, Safari RCE, or sandbox escapes for the next 2 to 3 months due to a high number of submissions related to these vectors.
Prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future.
— Zerodium (@Zerodium) May 13, 2020
In its tweet, Zerodium has also said that prices for “iOS one-click chains without persistence” will go down in the future. At the outset, it seems good that a private company has paused buying iOS exploits. However, it also speaks volumes about iOS 13’s bugs and security flaws. Apple’s SVP of Software Engineering, Craig Federighi has apparently advised a new approach aimed at reducing bugs on iOS 14. The changes extend to how Apple deals with its daily internal builds which are notorious for not being thoroughly tested.
iOS is often regarded as a much safer alternative to Android. Things took a turn last year when the company paid more for an Android exploit as opposed to iOS. An earlier report claimed that Android phones have gotten tougher to crack than iPhones. In spite of Apple’s promises of user privacy and data security, security agencies have been able to crack iPhones. We hope that this changes with iOS 14 and the rise in iOS bugs/security flaws will become a thing of the past.