The $1 million iOS bug bounty is bad for security research - Engadget

The public perception of the black-hat hacker is of a lone person sitting in a dark room creating malware and unleashing it on the world and reaping the profits of their exploit. The reality is a bit more complicated and far more financially lucrative. Nothing shines a light on this more than the Zerodium publicity stunt of offering $1 million for iOS 9 zero-day exploits. Founder Chaouki Bekrar has a history of selling exploits to the highest bidder instead of disclosing the issue to the maker of the compromised product. It flies in the face of responsible disclosure of exploits by security researchers and means that anyone with enough cash will have the ammunition to ruin the digital life of anyone with an iPhone.

Unlike corporate bug-bounty programs that pay researchers to share exploits found in products so that a company can squash those problems, Zerodium doesn't want these exploits closed. At least not until it can resell the exploit for a profit. Lance Cottrell, chief scientist of security firm Ntrepid told Engadget that these exploits are "almost certainly going to be used against people's best interests."

Read Full Story