A 'bug broker' that buys software security bugs and exploits from hackers suggests that it has more than a handful to deal with.
Zerodium is an American information security company founded in 2015, conducting business mainly by developing and acquiring premium zero-day exploits from third-parties.
The company then conduct research about security issues it acquired, to then report the protective measures and security recommendations to its clients.
The company has made its name, partly because in many cases, its payouts are much higher than Apple's official bug bounty program
And here, the company said that it stopping rewarding developers of several types of iOS exploits because it simply has too many of them.
We will NOT be acquiring any new Apple iOS LPE, Safari RCE, or sandbox escapes for the next 2 to 3 months due to a high number of submissions related to these vectors.
Prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future.— Zerodium (@Zerodium) May 13, 2020
The company on Wednesday that it'll pressing pause on acquiring any more local privilege escalation, remote code execution or sandbox escape exploits "for the next two to three months due to a high number of submissions."
Additionally, the company said that prices for certain types of iOS Safari one-click vulnerabilities will probably drop in the near future.
In a following tweet, Zerodium founder Chaouki Bekrar said that iOS security is "fucked."
That added to the fact that Apple lacked the persistence and a security mechanism in iOS 13, as Bekrar called that they are only two things keeping iOS's security from "going to zero."
iOS Security is fucked. Only PAC and non-persistence are holding it from going to zero...but we're seeing many exploits bypassing PAC, and there are a few persistence exploits (0days) working with all iPhones/iPads. Let's hope iOS 14 will be better.https://t.co/39Kd3OQwy1
— Chaouki Bekrar (@cBekrar) May 13, 2020
One of the factors that caused Zerodium to come into this decision, is because of the novel 'COVID-19' coronavirus pandemic.
Just like any other companies, Zerodium is affected by the global lockdown and social restriction of its employees, in one way or another.
Because of this, Zerodium researchers may have more things to take care of, other than addressing security concerns of other companies.
And the other reason, is simply because iOS 13 is just unusually buggy.
This is a fact that led Apple software chief Craig Federighi to overhaul the development process for the next version of iOS.
"Let's hope iOS 14 is better," Bekrar said.