The power of competition for exploits?
Jan. 7, 2019 – Payouts for the majority of Desktops/Servers and Mobile exploits have been increased. Major changes are highlighted below:
Modification Details Increased Payouts
(Mobiles)$2,000,000 – Apple iOS remote jailbreak (Zero Click) with persistence (previously: $1,500,000)
$1,500,000 – Apple iOS remote jailbreak (One Click) with persistence (previously: $1,000,000)
$1,000,000 – WhatsApp, iMessage, or SMS/MMS remote code execution (previously: $500,000)
$500,000 – Chrome RCE + LPE (Android) including a sandbox escape (previously: $200,000)
$500,000 – Safari + LPE (iOS) including a sandbox escape (previously: $200,000)
$200,000 – Local privilege escalation to either kernel or root for Android or iOS (previously: $100,000)
$100,000 – Local pin/passcode or Touch ID bypass for Android or iOS (previously: $15,000)NOTE: Payouts were also increased for other products including: RCE via documents/medias, RCE via MitM, ASLR or kASLR bypass, information disclosure, etc.
Increased Payouts
(Servers/Desktops)$1,000,000 – Windows RCE (Zero Click) e.g. via SMB or RDP packets (previously: $500,000)
$500,000 – Chrome RCE + SBX (Windows) including a sandbox escape (previously: $250,000)
$500,000 – Apache or MS IIS RCE i.e. remote exploits via HTTP(S) requests (previously: $250,000)
$250,000 – Outlook RCE i.e. remote exploits via a malicious email (previously: $150,000)
$250,000 – PHP or OpenSSL RCE (previously: $150,000)
$250,000 – MS Exchange Server RCE (previously: $150,000)
$200,000 – VMWare ESXi VM Escape i.e. guest-to-host escape (previously: $100,000)
$80,000 – Windows local privilege escalation or sandbox escape (previously: $50,000)NOTE: Payouts were also increased for other products including: Thunderbird, VMWare Workstation, Plesk, cPanel, Webmin, WordPress, 7-Zip, WinRAR, etc.
Not quite in the star athlete range but getting there.
The higher the bounties, the more people who will be hunting. Not unlike the lottery. Some of them will win based on skill, others will stumble on exploits.
What we really need is a competitive market for data, however it is obtained.