Black hat security company Zerodiium has tripled the bounty its offering for zero-day iOS 10 exploits to $1.5 million, according to a new report by Arstechnica. The company’s founder Chaouki Bekrar, explained that the higher bounty is in direct response to the improvements that Apple has made in iOS 10 that have made iOS devices “much harder to exploit than their previous versions.” Notably, Zerodium also increased its bounty for Android 7 exploits to $200,000, explaining that the lower price compared to iOS 10 represented a mix of both demand for iOS exploits and the difficulty in finding exploits in iOS 10 as compared to Android 7.
Zerodium, which seeks to find “weaponized” vulnerabilities in mobile devices that can be sold to government and corporate clients, originally offered a $1 million bounty for iOS 9 exploits last year, however it dropped the price to $500,000 after receiving three qualifying submissions. Last month, Apple announced that it was offering up to $200,000 to security researchers discovering vulnerabilities in the company’s products, considerably less than most government funded black hat companies would be able to offer, however as the Arstechnica report explains, Zerodium’s bounties require a higher level of demonstrable success than merely a rough outline of vulnerabilities, as most black market clients are seeking ways to actually use the discovered exploits to gain complete control over a targeted device, not merely demonstrate a potential attack vector for the purposes of improving security. Further, many security researchers are also reluctant, if not outright opposed, to revealing exploits to black hat companies that may sell them to government agencies with poor track records in the areas of privacy and human rights.