Zerodium this week announced that it will not be purchasing any iOS exploits for the next two to three months due to a high number of submissions. In other words, the company has so many security vulnerabilities at its disposal that it does not need any more.
Zerodium is an exploit acquisition platform that pays researchers for zero-day security vulnerabilities and then sells them to institutional customers like government organizations and law enforcement agencies. The company focuses on high-risk vulnerabilities, normally offering between $100,000 and $2 million per fully functional iOS exploit.
We will NOT be acquiring any new Apple iOS LPE, Safari RCE, or sandbox escapes for the next 2 to 3 months due to a high number of submissions related to these vectors.
Prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future.
— Zerodium (@Zerodium) May 13, 2020
In an explicit tweet, Zerodium CEO Chaouki Bekrar said iOS security is in bad shape, noting that there are at least a few persistent zero-day security vulnerabilities affecting all iPhones and iPads. “Let’s hope iOS 14 will be better,” added Bekrar.
Apple has its own bug bounty program that offers between $5,000 and $1 million for security vulnerabilities in iOS, iPadOS, macOS, tvOS, or watchOS.