One way companies are now attempting to discover vulnerabilities in their software or products, is to offer a bounty for any exploits that are found in their software by any third party’s. This is a good way for companies to motivate the public to actively search out exploits. These exploits may have been otherwise been found later by someone with ill intentions.
Why offer so much money for exploits?
Good software companies like Apple are always mindful of the overwhelming risk of a potential breach or vulnerability. Currently they are offering up to $200,000 if you can manage to find a vulnerability in one of their products. Exodus is offering its team up to $500,000 for iOS exploits found and up to $125,000 for Microsoft Edge exploits. This may seem like a huge amount of money to offer out to some of us. However, if you can point out a vulnerability within iOS that can potentially save Apple Millions of dollars in liability’s. This can potentially be a great way for companies to protect themselves before it’s too late.
What kind of vulnerability are they looking for?
The kind of vulnerabilities Apple and Exodus have been looking to find are Zero-Day exploits. These are exploits that have not yet been discovered but are lurking around on your software or network. As a result of this there will be no security patch or protection against them. It is very hard to protect against a vulnerability you do not know exists. Businesses will reach out to security companies like Cyber Protection Group in order to receive penetration testing and vulnerability assessments. When we preform penetration testing one of the things we check for is zero-day exploits. We then meet with these companies afterwards and explain to them ways to protect themselves against these exploits before they become victims.
Should I quit my job and try to hack Apple?
Apple has previously offered $500,000 or more for exploits in the past. There are other companies who have offered up to $1 million. The problem with earning this money is that finding the kind of exploits these companies are looking for is extremely difficult. It would take a group of extremely highly trained ethical hackers working around the clock to find a single good exploit. This is both extremely time consuming for companies and costly to fund. Even with the resources and time needed there is no guarantee you can find an exploit. I would recommend leaving this job to the professionals.
Exodus president Logan Brown said in a press release:
“Through the launch of the RSP, Exodus is excited to be engaging the global research community in our mission to provide the highest quality of vulnerability intelligence in the industry. This additional source of research, supplemented by the investigation and validation of our world-class team, will continue to ensure that our clients receive early notification of the most critical vulnerabilities so that they can offer the best defense possible”
We at Cyber Protection Group feel this is a great goal any company should strive for.