Exploit acquisition platform Zerodium has shared that it has an oversupply of a few types of iOS and Safari flaws, to the point that it has stopped taking submissions from researchers for the “next 2 to 3 months.”

Zerodium was one of the exploit acquisition companies that was profiled last September in a report from Vice about a flood of iOS exploits hitting the market. A few weeks later we also saw the permanent unpatchable bootrom exploit called checkm8 surface.

More than half a year later, certain iOS and Safari exploits have continued to roll in to Zerodium at such a pace that the company announced that it’s not accepting submissions for local privilege escalation (LPE) iOS exploits, remote code execution through Safari, or sandbox escapes for “the next 2 to 3 months.”

Zerodium also predicted that “prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future.”

As highlighted last fall, Zerodium is still paying up to $2.5 million for zero click full chain with persistence exploits on Android while the same on iOS maxes out at $2 million.

Here’s a look at Zerodium’s current payout structure:

iOS exploits

In related news, an old exploit reemerged recently in China that allowed a hacker group to monitor the Uyghur Muslim minority as recently as March of this year.

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author