“Gartner Listed - mobile application security guide”

February 13, 2017

Zimperium starts bug bounty for N-day exploits

Zimperium now has a program for hackers to get paid for undisclosed mobile app security exploits, the mobile security firm announced $1.5 million for its zLab N-day exploit acquisition program of exploits discovered during mobile app security testing.

Zimperium is focusing on N-day vulnerabilities, where vendors fail to deploy a patch and the exploit is still open to hackers.The aim is to get vendors to improve the process of security updates and to reward researchers for creating exploits that become worthless once each one is reported to the vendor. There is also the hope that will create a more secure mobile market, giving vendors a way to run mobile app security testing against known exploits and lower the number of mobile app security incidents.

Many detected vulnerabilities are reported to vendors without any working exploits, in this case vendors will understand the implications without any need for proof and patch the vulnerability on their own. Many exploits are sold to hackers or government agencies behind closed doors. These zero-day exploits use undisclosed vulnerabilities that administrators have had no time to mitigate between their disclosure and the time of attack.

Zimperium’s belief is that through acquiring these exploits, it will be able to improve the security of the ecosystem for its vendors and partners. Their mobile app security technology is used by device vendors and carriers to cater to a large number of users. These also include users with older mobile devices which no longer get the security updates. Hence, old device support can teach them how to improve their services and how to improve their mobile app security testing profile.

The firm is seeking exploits for remote and locally detected vulnerabilities, and also for bugs leading to information disclosure. Apart from the new OS updates, exploits will also apply to historical Android or iOS versions. Zimperium will be using the mobile app security exploits to enhance its Z9 mobile application engine. Furthermore, the exploits will also be shared with ZHA, which consists of security team members and mobile app security testers from about 30 device manufacturers and carriers at global level.

Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.