Tech

Discover zero-day vulnerabilities for iOS 9, earn $1 million

An exploit company is offering bug hunters the chance to earn up to $1 million for submitting Apple iOS 9 vulnerabilities.

Written by Charlie Osborne, Contributing Writer Sept. 23, 2015 at 5:36 a.m. PT

If you're a security researcher happy to exclusively sell exploits designed for the iOS 9 mobile platform, Zerodium is offering up to one million for exclusive hacks.

Exploit acquisition firm Zerodium, touting itself as the "premium zero-day vulnerability and exploit acquisition program," provides vulnerability data to clients which are "major corporations in defense, technology, and finance, in need of advanced zero-day protection, as well as government organizations in need of specific and tailored cybersecurity capabilities."

In other words, sell your exploit, cash in, while the company turns a profit by selling vulnerabilities to large companies and organizations worldwide.

The company is keen to capitalize on the launch of Apple iOS 9 and is luring researchers with high financial rewards for their efforts.

In a blog post on Monday, the company said the "Million dollar iOS 9 Bug Bounty" is aimed at security researchers, reverse engineers and jailbreak developers willing to take on Apple security for financial reward. Open until October 31, the 'competition' will award $1 million to each individual or team which submit an "an exclusive, browser-based, and untethered jailbreak" to the company.

In other words, as noted by Errata Security, a browser-based and untethered "jailbreak" is the same as a zero-day exploit which can be used to compromise user devices.

A total of three million as three separate awards, are being offered by Zerodium.

According to Zerodium's bug bounty page, the exploit/jailbreak must include a chain of iOS 9 exploits which bypass all mitigation systems including ASLR, sandboxes, code signing, and bootchains, and must lead to and allow "a remote, privileged, and persistent installation of an arbitrary app" on a fully updated iOS 9 device.

Featured

Zerodium wants the initial attack vector -- the place where exploits can be served -- to be a web page targeting the mobile versions of the Safari or Google Chrome browser, a web page targeting an application reachable through the browser or either an SMS/MMS message.

"The whole exploitation/jailbreak process should be achievable remotely, reliably, silently, and without requiring any user interaction except visiting a web page or reading a SMS/MMS (attack vectors such as physical access, Bluetooth, NFC, or baseband are not eligible for the Million Dollar iOS 9 Bug Bounty. Zerodium may, at its sole discretion, make a distinct offer to acquire such attack vectors)," Zerodium states.

Partial or incomplete exploits cannot be submitted for the main prize, although the company will still consider paying out for details. Vulnerabilities submitted to the company must work with the iPhone 6s, iPhone 6s Plus, iPhone 6, iPhone 6 Plus, iPhone 5 models, iPad minis and iPad Air range.

The firm says:

"All submissions must be made exclusively to Zerodium and must include the fully functioning exploit and its source code (if any), and a detailed whitepaper describing all the zero-day vulnerabilities and techniques used in the jailbreak."

The key word is "exclusive." By stipulating researchers must not disclose their findings to any other company or leak it to the public domain, Zerodium is ensuring that the firm can sell this data on to corporations and governments seeking these kinds of software flaws.

If the vulnerability can be sold on a non-exclusive basis to multiple clients, Zerodium could turn a serious profit. As noted by Errata Security, when the price of a vulnerability can go for up to $300,000, it takes only a handful of clients to offshoot the large bug bounty offered for iOS 9 exploits.