by Al Sacco

Android, iOS bug bounty biz is booming

News Analysis
Aug 11, 2016

Hackers who identify and document proven critical software vulnerabilities in Android or iOS stand to cash in big time, thanks to new bug bounty increases from Apple, Google and at least one security firm.

mobile payment wallet money smartphone
Credit: Thinkstock

If you’re not a hacker pounding away on Android or iOS for security flaws, you may be in the wrong profession — at least if you appreciate a nice stack of Benjamins.

A single verified zero-day vulnerability in iOS could net you a cool half mil from security firm Exodus Intelligence. That’s 150 percent more moola than the $200,000 amount Apple last week said it would offer for proven critical vulnerabilities. Apple also said it would double that amount if recipients donate the cash to charity. 

And it’s not just iOS engineers facing a potential windfall. Just last month, Google significantly upped its Android bug bounties. Google will now pay as much as $50,000 for remote exploit chains or exploits that lead to Android TrustZone or Verified Boot compromises, as part of its Android Security Rewards program. (Apparently iOS hackers can make more than Android engineers, just as Apple app makers bring in more revenue than Android coders.)

The endgame for nearly every hacker who tries to crack an OS is financial gain. Thanks to these bug bounty programs from Apple, Google and third-party security firms, white hat coders can make as much (or more) money today working in the light as their black hat counterparts who lurk in the shadows.