Exploit Acquisition Program for Android and iOS devices
February 1, 2017
focusing on N-days, or patched vulnerabilities, Zimperium is helping
accelerate how mobile security updates are delivered.
Zimperium’s program encourages security research by rewarding the hard
work of researchers who wouldn’t otherwise receive compensation. For
example, professional hacking groups often purchase zero-day exploits
for anywhere from a few thousand dollars up to 1 million dollars for a
full, remote exploit chain. However, as soon as a patch is available,
that exploit becomes worthless from a monetary perspective.
“Unfortunately, the security patching process for mobile devices'
operating systems is extremely slow, which leaves companies and
individuals highly vulnerable to dozens of security threats,” said Zuk
Avraham, Founder and Chairman at Zimperium. “Through this program, our
customers, partners, and the infosec community will get access to
exploits and exploit techniques so that they will be able to provide
better protection from existing threats.”
Zimperium is changing that model and allocating $1.5 million to purchase
N-day exploits. A committee built from select members of Zimperium’s
renowned research team, zLabs, will evaluate remote and local exploits,
information disclosure exploits and others, for purchase.
will use the exploits to further enhance its machine learning-based
threat detection engine, z9. Since many devices in BYOD and
company-provided mobile device environments may be outdated and cannot
receive patches, Zimperium will provide compatibility support for
versions that vendors no longer support (e.g. Android 4.1).
With the researcher’s permission, the
exploit will first be released to members of the Zimperium’s Handset
Alliance (ZHA), which includes Samsung, Softbank, Telstra, Blackberry
and more than 30 members from the most well-known handset vendors and
mobile carriers in the world. For those that are not members of ZHA,
Zimperium will publicly release the exploit, one to three months later,
crediting the appropriate researcher. Security contacts of carriers and
vendors are welcome to join ZHA at no cost.