Zerodium is a vulnerability acquisition platform designed to pay researchers a fee to buy zero-day security vulnerabilities and then resell them to customers such as governments and law enforcement agencies. However, this week, Zerodium announced-due to the short-term submission of too many iOS exploits, it plans not to purchase such content in the next 2 to 3 months. It is reported that Zerodium focuses on high-risk vulnerabilities, and usually each fully functional iOS exploit will be awarded between 100,000 and 2 million US dollars.
Chaodium Bekrar, CEO of Zerodium, said in a tweet that the security situation of iOS is not as good as everyone thinks, and pointed out that there have been some zero-day exploits affecting all iPhones and iPads. Of course, Bekrar still hopes that iOS 14 will improve.
We will NOT be acquiring any new Apple iOS LPE, Safari RCE, or sandbox escapes for the next 2 to 3 months due to a high number of submissions related to these vectors.— Zerodium (@Zerodium) May 13, 2020
Prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future.
In addition to third parties such as Zerodium, Apple also has its own bug bounty program. If you find a security hole in iOS, iPadOS, macOS, tvOS, or watchOS, you will be awarded between US $ 50 million and US $ 1 million.