What you need to know
- Security researcher Jack Dates discovered a zero-day exploit with Safari.
- The researcher earned $100,000 for the discovery.
- The Zero Day Initiative pays security researchers to responsibly uncover vulnerabilities.
A security researcher has earned $100,000 for discovering a Safari exploit at the Zero Day hackathon event.
As reported by MacRumors, security researcher Jack Dates discovered a Safari to kernel zero-day exploit during the event, earning Dates $100,00.
Apple products were not heavily targeted in Pwn2Own 2021, but on day one, Jack Dates from RET2 Systems executed a Safari to kernel zero-day exploit and earned himself $100,000. He used an integer overflow in Safari and an OOB write to get kernel-level code execution, as demoed in the tweet below.
Other hacking attempts during the Pwn2Own event targeted Microsoft Exchange, Parallels, Windows 10, Microsoft Teams, Ubuntu, Oracle VirtualBox, Zoom, Google Chrome, and Microsoft Edge.
The Zero Day Initiative, as it explains on the website, encourages security researchers to find zero-day vulnerabilities by compensating them for their discoveries.
The Zero Day Initiative (ZDI) was created to encourage the reporting of 0-day vulnerabilities privately to the affected vendors by financially rewarding researchers. At the time, there was a perception by some in the information security industry that those who find vulnerabilities are malicious hackers looking to do harm. Some still feel that way. While skilled, malicious attackers do exist, they remain a small minority of the total number of people who actually discover new flaws in software.
You can check out an overview of the Zero Day Initiative below: