Exploit acquisition platform Zerodium has shared that it has an oversupply of a few types of iOS and Safari flaws, to the point that it has stopped taking submissions from researchers for the “next 2 to 3 months.”
Zerodium was one of the exploit acquisition companies that was profiled last September in a report from Vice about a flood of iOS exploits hitting the market. A few weeks later we also saw the permanent unpatchable bootrom exploit called checkm8 surface.
More than half a year later, certain iOS and Safari exploits have continued to roll in to Zerodium at such a pace that the company announced that it’s not accepting submissions for local privilege escalation (LPE) iOS exploits, remote code execution through Safari, or sandbox escapes for “the next 2 to 3 months.”
Zerodium also predicted that “prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future.”
We will NOT be acquiring any new Apple iOS LPE, Safari RCE, or sandbox escapes for the next 2 to 3 months due to a high number of submissions related to these vectors.
Prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future.
— Zerodium (@Zerodium) May 13, 2020
As highlighted last fall, Zerodium is still paying up to $2.5 million for zero click full chain with persistence exploits on Android while the same on iOS maxes out at $2 million.
Here’s a look at Zerodium’s current payout structure:
In related news, an old exploit reemerged recently in China that allowed a hacker group to monitor the Uyghur Muslim minority as recently as March of this year.
FTC: We use income earning auto affiliate links. More.