Security firm buys exploits for already known Android and iOS vulnerabilities
Security firm Zimperium has announced a program to purchase exploits for known Android and iOS vulnerabilities. Until now, companies only pay for zero days, which are not yet known to the software supplier. The company wants to learn how the exploits work.
Zimperium, the same company that discovered the Stagefright vulnerability in Android in 2015, writes that the value of a leak drops to almost zero, if this is known to the software vendor. The same goes for the associated exploits. The company doesn’t say how much such an exploit is worth on average, but says it wants to set aside $1.5 million to purchase it.
Furthermore, it claims that it has started the action to learn from the exploits and thereby improve its own systems. In addition, it wants to publish the exploits unless their creator objects to it. Publishing first takes place within the Zimperium Handset Alliance, which includes several smartphone manufacturers, such as Samsung and BlackBerry.
Zimperium wants to give them one to three months before it publishes the exploit. Among other things, the company is looking for exploits that can be used remotely or locally. It says it is not interested in buying zero days. Other companies do and offer high amounts, for example for a leak that makes a remote jailbreak possible. In that case, the purchase price can be up to 1.5 million dollars.