Find a new Android exploit? Sell it to a secretive company for $3 million

0
368

  • A company based in the United Arab Emirates called Crowdfense is offering millions of dollars for zero-day Android exploits.
  • While a bounty for exploits is not a new concept, this Crowdfense bounty is mysterious, as the company won’t specifically say where the exploit goes from there.
  • A zero-day Android exploit is pretty serious business, and this company’s intentions are unclear.

If you stumble across a zero-day Android exploit (that is, a bug or vulnerability that is unknown to Google), a company called Crowdfense will pay you up to $3 million for that information.

Sounds amazing, right? The only issue is that it is not clear what Crowdfense would then do with the exploit. The company admits that it would sell the exploit to other organizations, but which ones and for what purpose is unknown.

Editor’s Pick

related article

10 best security apps for Android that aren’t antivirus apps

When you Google Search the term security apps, you get a ton of antivirus and anti-malware app listings. Unfortunately, that’s a very narrow view of what’s out there. There are tons of apps that can …

The Crowdfense website describes the company as “a world-leading vulnerability research hub” that “evaluates state-of-the-art active cyber-defense capabilities” and then “offers them to a carefully selected group of global institutional customers.” In other words, the company looks for holes in major systems and then sells the information to undisclosed organizations.

While Crowdfense is probably an ethical company that will only use the supplied exploit information to do good in this world, it’s also hard not to imagine a company in its position selling off the software vulnerabilities to the highest bidder, putting anyone who uses the software at risk. After all, we are talking about millions of dollars here, which necessitates a tiny list of potential customers.

For the sake of comparison, Google itself offers bounty rewards for Android exploits. But the payout from Google will likely be in the thousands of dollars, not millions.

Crowdfense isn’t just looking for Android exploits, either. It will pay hundreds-of-thousands up to millions of dollars for zero-day exploits related to iOS, Windows, and macOS.

Editor’s Pick

related article

Best Android security practices

Shutterstock Keeping your smartphone secure might not be the first thing on your mind when you pick up your new flagship from the store, but we keep an awful lot of personal information on …

According to Crowdfense director Andrea Zapparoli Manzoni, via Motherboard, the company has $10 million banked, which it controls from its headquarters in the United Arab Emirates. Manzoni admits that Crowdfense’s customers are “law enforcement or intelligence” agencies that are looking for tools “aimed at collecting intelligence.” So it seems like the exploits go to government institutions. But which governments?

With our world becoming more and more connected, software vulnerabilities will only get more dangerous. If you find a weakness of any kind in any type of software, be sure to thoroughly vet any person or organization with which you would share that information.

NEXT: Android phones with missed security updates still ‘more secure’ than the average PC

via Android Authority

April 26, 2018 at 12:40PM