Last week, Apple announced it would offer cash rewards to people who found security flaws in its systems. Apple is late to the practice of offering so-called bug bounties, but in typical style decided to change the rules of the game. Its biggest reward is $200,000, or 10 times the maximum payout Google offers and double Microsoft’s richest bounty.
Apple’s reward program has spurred others to offer even more money for identifying vulnerabilities. Security firm Exodus Intelligence is now offering more than double Apple’s top price for bugs affecting the newest versions of iOS, according to Motherboard. It will pay up to $500,000 for flaws in iOS 9.3 and above.
There has long been a lucrative market for knowledge of previously undiscovered security holes, known as “zero days.” Criminals, governments and the private sector have all been known to shop for zero days for surveillance, law enforcement, or research purposes. Companies have paid as much as $1 million for these disclosures, and the FBI probably paid more than $1 million for the exploit that allowed it to access the iPhone of one of the San Bernardino mass shooters.
The market for exploits is opaque and illiquid; prices are rarely published and must be negotiated with individual zero-day vendors. One cache of leaked emails from a vendor in 2015 gave some insight into this murky market.
Apple’s bug-bounty program appears to have put a floor under the prices of exploits to its own systems. By making its rates public, Apple is providing crucial pricing data on the market for security flaws. Researchers who find a qualifying flaw now know for certain they can get $200,000 from Apple. Other vendors now have a well-defined minimum price to work from in order to entice researchers to sell techniques to them. In other words, the market is now finding a new clearing price for Apple zero-days.
Apple says it’s limiting its bounty program to invited researchers for now. That’ll dampen the effect of its published rates on the zero-day market, but it’s only a matter of time before its rewards are fully priced in.