Tuesday, September 22, 2015
Security Company Offers $1 Million Bounty For iOS 9 Bugs and Exploits
While Apple has elected to keep themselves out of the 'pay for vulnerabilities' business, that hasn't sopped others from doling out loads of cash for exploits that impact Apple's software. Zerodium, an exploit acquisition company, stepped up where Apple has not with an impressive promise to pay up to $3 million to security researchers who can provide them with an “exclusive, browser-based, and untethered jailbreak for the latest Apple iOS 9 operating system and devices.”
"Apple iOS, like all operating system[s], is often affected by critical security vulnerabilities," Zerodium said in an announcement. "However due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple's iOS is currently the most secure mobile OS.
"But don't be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation," the company continued. "And here's where the Million Dollar iOS 9 Bug Bounty comes into play."
The Million Dollar iOS 9 Bug Bounty is tailored for experienced security researchers, reverse engineers, and jailbreak developers, and is an offer made by Zerodium to pay out a total of three million U.S. dollars ($3,000,000.00) in rewards for iOS exploits/jailbreaks.
The initial attack vector must be a Web page targeting the mobile browser or any application reachable through the browser, or a text message delivered via a SMS OR MMS. Plus, the exploitation process should be achievable "remotely, reliably, silently, and without requiring any user interaction" except visiting a website or reading a message, Zerodium said. The jailbreak must also work reliably on the iPhone 6s, 6s Plus, 6, 6 Plus, 5, 5c, and 5s, as well as iPad Air 2, iPad Air, fourth-gen iPad, third-gen iPad, iPad mini 4, and iPad mini 2.
Zerodium will pay out one million U.S. dollars ($1,000,000.00) to each individual or team who creates and submits to Zerodium an exclusive, browser-based, and untethered jailbreak for the latest Apple iOS 9 operating system and devices. The program is open until Oct. 31 at 6 p.m. Eastern. But keep an eye on Zerodium's website, as the bug bounty may end early, once the $3 million payout is depleted.
For those interested in taking a chance at the reward you can view the full details and terms of the program here.
We feel we should also mention there are at least a few concerns over what Zerodium's intentions with the vulnerability are.! Our brethren of geeks over at Engadget, have warned hackers to beware of Zerodium as founder Chaouki Bekrar has a history of selling exploits to the highest bidder, rather than disclosing issues to the manufacturer. In fact, Zerodium does not want these vulnerabilities patched—at least not until it can resell them for a profit, Engadget said.