For the first time, the price for Android exploits is higher than the iOS ones, this is what has emerged from the updated
A zero-click exploit chain for Android would be rewarded with up to $2.5 million, while an exploit chain for iOS only $2 million.
“Android security is improving with every new release of the OS thanks to the security teams of Google and Samsung, so it became very hard and time consuming to develop full chains of exploits for Android and it’s even harder to develop zero click exploits not requiring any user interaction,” explained Zerodium’s CEO Chaouki Bekrar.
Zerodium also announced it has increased the payouts for eligible iMessage and WhatsApp 0-click exploits. The company also reduced payouts for iOS 1-click exploits.
RCE + LPE exploits without persistence for iMessage and WhatsApp could be rewarded with a $1,500,000 payout (+50% previous price tag).
“ZERODIUM payouts for
“The amounts paid by ZERODIUM to researchers to acquire their original zero-day exploits depend on the popularity and security level of the affected software/system, as well as the quality of the submitted exploit (full or partial chain, supported versions/systems/architectures, reliability, bypassed exploit mitigations, default vs. non-default components, process continuation,
Zerodium will also potentially pay higher payouts for “exceptional” exploits that meet its “highest requirements.”
The price for WhatsApp
In March 2019, the exploit acquisition firm offered up to $500,000 for VMware ESXi and Microsoft Hyper-V vulnerabilities. At the time, the offer for Microsoft Hyper-V exploit represented a novelty in the Zerodium’s offer, it was the first time that the zero-day broker included a payout for this kind of exploits.