Zerodium announced this week that it won’t be buying iOS exploits in the next two to three months due to a high number of submissions. In other words, the company has so many vulnerabilities that it doesn’t need any more.
Zerodium is an exploit acquisition platform that pays researchers for zero-day vulnerabilities and then sells them to institutional customers such as government organizations and law enforcement agencies. The company focuses on high-risk vulnerabilities and typically offers between $ 100,000 and $ 2 million per fully functional iOS exploit.
Due to the high number of submissions related to these vectors, we will NOT purchase any new Apple iOS LPE, Safari RCE or sandbox escapes in the next 2 to 3 months.
The prices for iOS one-click chains (e.g. via Safari) without persistence are likely to fall in the near future.
– Zerodium (@Zerodium) May 13, 2020
In a (n explicit tweetChaouki Bekrar, CEO of Zerodium, said iOS security is in poor shape and found that there are at least some permanent zero-day vulnerabilities that affect all iPhones and iPads. “Let’s hope iOS 14 gets better,” added Bekrar.
Apple has its own bug bounty program that offers vulnerabilities in iOS, iPadOS, macOS, tvOS or watchOS between $ 5,000 and $ 1 million.