Connect with us

Hi, what are you looking for?


Mobile & Wireless

Zimperium Throws $1.5 Million at Mobile N-day Exploits

Zimperium Launches Exploit Acquisition Program for Android and iOS N-Days, But No Interest in 0-Days

Zimperium Launches Exploit Acquisition Program for Android and iOS N-Days, But No Interest in 0-Days

Bug bounty programs exist to encourage researchers to find and report zero-day vulnerabilities. The theory is that the vulnerability is patched and the threat goes away. In reality, however, the zero-day vulnerability simply becomes an N-day exploit; where ‘n’ is the number of days between the patch and its deployment. During this period, an N-day exploit is as dangerous as a 0-day exploit.

This is a particular problem in the mobile world, where millions of users remain at risk for extended periods due to poor deployment processes that never reach the majority of mobile devices. Now Zimperium, which raised $12 million in Series B funding in February 2015, is attempting to upset the status quo with the announcement of a zLabs $1.5 million N-day exploit acquisition program.

Mobile N-Days and Zero-Days

“Unfortunately, the security patching process for mobile devices’ operating systems is extremely slow, which leaves companies and individuals highly vulnerable to dozens of security threats,” explains Zuk Avraham, CTO and founder at Zimperium. “Through zLab’s new Exploit Acquisition Program, our customers, partners, and the rest of the cybersecurity community will be notified of these vulnerabilities so that they will be able to provide the highest level of protection possible.”

There are several actual and hoped-for effects. The first is that once an N-day exploit is known, it will apply pressure to the mobile ecosystem to rethink and improve the security process update. The second is that it will encourage and reward those researchers that develop exploits that immediately become worthless, in bug bounty terms, as soon as the vulnerability is known to the vendor. 

The third is that it will simply make for a more secure mobile market. With the researcher’s approval, the exploit will be released to members of the Zimperium Handset Alliance (ZHA). This includes Samsung, Softbank, Telstra, Blackberry and more than 30 members of well-known handset vendors and mobile carriers around the world. Zimperium will publicly release the exploit crediting the researcher after between one and three months.

The fourth is Zimperium’s own reward. It will use the exploits and the techniques used in the exploit to enhance its own machine learning z9 threat detection engine. This will give customers protection against the exploit even before the patch is released and deployed.

The reporting process is relatively simple for researchers who produce relevant N-day exploits. They should simply email ninja_exploits at, describe the exploit, quote the CVE number, explain how the exploit chain works, and state whether they wish to release the code publicly, and receive credit for it.

Advertisement. Scroll to continue reading.

The exploit is then evaluated by a zLabs committee, and a researcher compensation offer raised. “As a rule,” Avraham told SecurityWeek, “critical flaws — such as a full, remote exploit chain — will receive more compensation than local exploits. Once we are able to trigger a vulnerability on an older device/OS, we will provide a quote.”

“It’s simple,” he wrote in a blog post today. “We’ll buy remote or local exploits targeting any version other than the latest version of iOS and Android.”

It could be argued that by encouraging the development of N-day exploits and incorporating their solution into the z9 detection engine, Zimperium is increasing the threat level for any user not using Zimperium. Avraham refutes this suggestion. “While individual device owners won’t see the benefits of this program immediately,” he told SecurityWeek, “we’re doing everything we can to enhance the way that users receive security updates.

“Sophisticated attackers,” he continued, “didn’t wait for this program to research the monthly security bulletins. These vulnerabilities already exist and are explored by sophisticated actors. Making these vulnerabilities available to the Zimperium Handset Alliance (ZHA) and then the security community, decreases the chances that they will be used in targeted attacks, increases the chances of the carriers to stop these attacks, increases the chances of the vendors allocating resources to provide an update, and helps the entire ecosystem.”

In reality, the scheme formalizes and increases what Zimperium has already done. In September 2015 it published an exploit for a critical Android Stagefright vulnerability. The vulnerability had already been patched by Google, but the existence of a published exploit applied pressure on Android suppliers to deliver the patch.

It is certainly true that anything done to decrease the duration of an N-day exploit must be beneficial. But what happens if the $1.5 million runs out? “That will be a great problem to have,” said Avraham. “Depending on the success of the program we may allocate more.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.