Broker Outbids Apple Bug Bounty Program by Hundreds of Thousands of Dollars
Not a week after Apple announced details about its first-ever bug bounty program, wherein computer security researchers report undiscovered software vulnerabilities in exchange for money, a competitor has sought to one-up it.
Exodus Intelligence, a small, four-year-old private firm based in Austin, Texas, has unveiled a program that offers as much as $500,000 for certain bugs or exploits—more than double Apple’s (AAPL) maximum reward of $200,000. Exodus calls its bug acquisition business a “research sponsorship program,” a euphemism for “sell us—not Apple—your code cracks.”
Get Data Sheet, Fortune’s technology newsletter.
The bug broker is looking to buy both “zero-day” vulnerabilities (flaws in code that are unknown to the rest of the world) as well as “n-day” vulnerabilities (exploits or vulnerabilities that have already been patched). Exodus then charges other companies a subscription fee starting at $200,000 per year for intel about these software weaknesses, as reported in a 2014 story in Time, sister publication to Fortune.
Customers can range from cybersecurity vendors, to penetration testers, to governments, to others. The company says it prioritizes defensive clients (rather than offensive ones), at least according to the marketing language on its website.
Exodus’ generally higher-priced payouts—plus a possible “quarterly bonus” for keeping hush—are designed to incentivize security researchers to share their findings with Exodus alone. The reason for the silence is as soon as any bugs come to one of the listed tech companies’ attention, they can patch them, rendering the vulnerabilities and exploits useless. (Exodus did not immediately respond to Fortune’s request for clarification about how the company set its prices.)
For more on bug bounty programs, watch:
Historically, bug brokers have operated quietly and kept their price listings private. Last year, however, Zerodium, another bug broker, debuted a million-dollar bounty for iOS hacks. Since then, the company has reduced its payout to half that sum, same as Exodus.
“Through the launch of the RSP [research sponsorship program], Exodus is excited to be engaging the global research community in our mission to provide the highest quality of vulnerability intelligence in the industry,” said Logan Brown, Exodus’ president and CEO, in a statement.
Brown previously served at HP (now HP Inc. (HPQ) and Hewlett Packard Enterprise (HPE)), before the company sold its Tipping Point network defense division to the cybersecurity firm Trend Micro (TMICY) for $300 million in 2015. There he worked on the zero-day initiative team that rewards security researchers for disclosing vulnerabilities.
Exodus said it offers payment to researchers via check, wire transfer, Western Union (WU), and the cryptocurrency Bitcoin.