Five years ago, Zerodium offered a $1 million reward for a browser-based, untethered jailbreak in iOS 9. However, the software exploit broker said it won't pay anything for some iOS bugs due to an oversupply.
The company tweeted that it will not acquire any new Apple iOS local privilege escalation, Safari RCE [remote code execution], or sandbox escapes for the next two to three months due to a high number of submissions related to these vectors.
In fact, it expects prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop soon.
According to the firm's most recent price list, Safari RCE+LPE bugs had been eligible for payments of up to $500,000. A more comprehensive exploit, like a zero-click iOS FCP [full chain with persistence] flaw, should still qualify for a payout of up to $2 million.
Zerodium's founder Chaouki Bekrar said on Twitter: "iOS Security is fucked… only [Pointer Authentication Codes] and non-persistence are holding it from going to zero...but we're seeing many exploits bypassing PAC, and there are a few persistence exploits (0days) working with all iPhones/iPads. Let's hope iOS 14 will be better."
Apple's iOS 13 is buggier tha a Sardinian Casu Marzu cheese (pictured) and word on the street is that Apple has had to overhaul the company's internal software testing process to avoid a repeat when iOS 14 arrives later this year. The mobile OS has had 12 updates - about half with no cited vulnerabilities, or CVEs - since its release in September 2019.
The situation has been bad since last September when Zerodium said for the first time that it would pay more for flaws in Android than in iOS.
Shortly after that, in December last year, Apple opened its bug bounty programme, which had been invitation-only since 2016.
While Apple is saying nothing, the Tame Apple Press claims that Zerodium's remarks are pure PR/marketing shenanigans and trolling and Apple is as secure as it ever has been – which is what we have been saying all along.