Zerodium offers $2 million for Apple vulnerabilities

Zero-day exploit broker Zerodium has raised again the payouts it offers for most desktops/servers and mobile exploits.

The $2 million figure requires discovering a remote, “zero-click” iOS jailbreak “with persistence,” Zerodium said.

Bounties have increased from $500,000 to $1 million for iMessage and SMS hacks, $200,000 to $500,000 for “Safari + LPE (iOS) [vulnerabilities] including a sandbox escape,” and from $100,000 to $200,000 for flaws allowing privilege escalation to kernel or root in iOS. The greatest proportional leap may be for Touch ID and passcode bypasses, which now pay out $100,000 instead of $15,000.

Other major changes to the payouts are shown in this table:


Zerodium was founded in 2015 by Chaouki Bekrar, who previously founded and ran Vupen Security, an infosec outfit that specialized in discovering zero-day vulnerabilities in order to sell them to law enforcement and intelligence agencies.

Exploits collected by Zerodium are used to provide data and security recommendations to clients. The company courts a “limited number of eligible customers,” since criminals and others might naturally want to discover easy hacking methods.

Zerodium’s price hike seems to indicate that it’s increasingly difficult to exploit vulnerabilities in some operating systems and applications.