Zimperium has announced an exploit acquisition program aimed at Android and iOS mobile device vulnerabilities which are already patched.
Revealed on February 1, the company said a total of $1.5 million will be budgeted for the next year to snap up N-day exploits on Google and Apple's mobile platforms.
Zero-day bugs are unknown security flaws that are unpatched by vendors, which allows them to be of use to cyberattackers, state-sponsored groups and law enforcement attempting to compromise devices for the sake of investigations in the time it takes for companies to develop patches which mitigate and fix the security holes.
The most popular flagship devices, such as the iPhone range, can earn researchers up to $1.5 million if they find and sell zero-day vulnerabilities privately rather than disclosing them directly to the vendor in question.
In 2016, the FBI paid researchers $1 million for providing an exploit used to break into an iPhone belonging to one of the San Bernardino shooters.
While unpatched bugs are usually of interest to exploit sellers, Zimperium wants to focus on N-day exploits. Once vendors have admitted to a security problem and have begun working on a fix, so-called N-day exploits indicate a time of one or more days in which systems can be exploited and attacked before systems receive their updates for known vulnerabilities.
Zimperium says that while zero-day purchases result in patches being developed to mitigate security problems, "millions of users remain at risk due to poor patch deployment processes that never reach the majority of mobile devices."
"By focusing on N-days, or patched vulnerabilities, Zimperium is applying pressure on the mobile ecosystem to re-think how and when users receive security updates," the company says. "[The] program will reward the hard work of researchers who wouldn't otherwise receive compensation for an N-day exploit."
Members of Zimperium's research team, zLabs, will evaluate submitted N-day exploits -- both local and remote -- information disclosure security flaws and other bugs for purchase. If the team are able to replicate vulnerabilities and attacks in older devices and operating systems, they will provide researchers with a quote.
If payment is accepted, the exploit is then released to members and partners of the Zimperium's Handset Alliance (ZHA), which includes tech giants such as Samsung, Softbank, Telstra, Blackberry, alongside another 30 handset vendors in the hopes of improving the speed of patch development and distribution.
Zimperium will then publicly release the exploit one to three months later. The vulnerability information will also be used in the Zimperium z9 threat detection engine.
"Unfortunately, the security patching process for mobile devices' operating systems is extremely slow, which leaves companies and individuals highly vulnerable to dozens of security threats," said Zuk Avraham, CTO and founder at Zimperium.
"Through this program, our customers, partners, and the infosec community will get access to exploits and exploit techniques so that they will be able to provide better protection from existing threats." Avraham added.
This attack uses a phone's camera to crack Android pattern locks: