The act of pay rewards for bugs found on systems is nothing new, although Apple instituted its own program of this nature long after its main competitors and most bug hunters still prefer to save their findings for other uses.
Well, based on this new offer of a startup Arabs, it seems that hunters will continue to prefer to sell their discoveries to companies other than Apple. THE Crowdfense, a new company based in the United Arab Emirates, announced that pay up to $ 3 million for unexplored bugs (ie not yet documented) on four systems: macOS, iOS, Android and Windows.
This is the highest amount ever offered publicly for flaws in these systems, with some leeway to get an idea, Apple pays a maximum of $ 200,000 for a bug found in any of its systems, and parallel markets are around $ 1 million in the maximum, for this type of activity.
However, according to a report by Motherboard, Crowdfense will not use these findings to create jailbreak or invade systems on their own: apparently the idea of startup selling tools based on these discoveries to governments, intelligence services and law enforcement agencies, at an even higher price. In fact, it doesn't seem like a very distant thought to imagine the FBI negotiating with such a company to have direct access to versions of iOS without needing solutions like GrayKey.
As Crowdfense director Andrea Zapparoli states:
When I think about government agencies I don't think about the military, I think about the civilian part, which works against crime, terrorism and things like that. We only focus on tools dedicated to law enforcement or intelligence activities, not to destroy or deteriorate the functionality of target systems just to collect intelligence data.
Yes, a good conversation for a company that, like all others in the industry, like Grayshift and Cellebrite walks a very thin line between legality and privacy invasion. The creators of Crowdfense try to position themselves as defenders of legal practices and anti-terrorism and crime-fighting projects, perhaps to distance themselves from the really shady images of other companies in the industry, and claim to work only with the best vulnerability researchers in the world. branch; at least apparently, the idea is to convey greater transparency in the activities carried out by there.
The initial budget of rewards for startup $ 10 million, and only “complete” bugs (full-chain) may generate rewards between US $ 500 thousand and US $ 3 million, depending on relevance. Partial bugs will be evaluated individually and, if Crowdfense decides to buy them, it will certainly be for a lower price. Still, it's a nice offer, isn't it?
via Apple World Today