Security firm is buying iOS 9 exploits for $1 million

Scorpus

Posts: 2,159   +239
Staff member

Zerodium, a startup that bills themselves as the "premium zero-day vulnerability and exploit acquisition program", are currently running a massive bug bounty program that is offering $1 million to developers who discover critical, exploitable flaws in iOS 9.

The company is willing to pay a total of $3 million for three separate iOS 9 exploits; $1 million to each group of developers. However it's going to take a particularly serious exploit to claim the million dollar bounty, as Zerodium's requirements are lengthy and strict.

The exploit in question must use an unknown flaw and lead to a "remote, privileged, and persistent installation of an arbitrary app", essentially making it an untethered jailbreak of iOS 9. On top of this, the flaw must be exploitable silently, reliably and remotely without any user interaction, with attacks originating through either a web page, SMS or MMS.

The exploit must be delivered exclusively to Zerodium and must work on all iOS 9 devices newer than and including the iPhone 5 and 3rd-gen iPad. The program will run through to October 31st, although if three exploits are discovered before then, the program will end early.

Zerodium doesn't state what the zero-day exploits will be used for, although the company lists its clients as major corporations "in need of advanced zero-day protection" as well as governments "in need of specific and tailored cybersecurity capabilities".

It's most likely that these exploits will be packaged up for groups that require silent backdoor entry into iOS 9 devices, such as governments that want to tap into and spy on an iPhone user. These type exploits that remain unpatched and unknown to the public typically command high prices on the market, which is why Zerodium is offering such a large sum for iOS 9 exploits.

Permalink to story.

 
Publicly inspiring hackers to perfect their skills is quite immoral, and should be made illegal.
 
A government wanting unfettered access to something that has an expectation of privacy attached to it is what's (or should be) illegal guys. I find the creep putting a spycam in a bathroom a lot more gross than the guy that makes the camera.
 
A government wanting unfettered access to something that has an expectation of privacy attached to it is what's (or should be) illegal guys. I find the creep putting a spycam in a bathroom a lot more gross than the guy that makes the camera.

There is no expectation of privacy when it comes to the internet/IoT. The sooner people realize that, the sooner this circular debate will end. Welcome to the real world.
 
That's silly. If you would have said that there is no expectation of privacy on social networks then sure but if I don't use them or any other "free" service then I expect that the contents of my locked and encrypted phone are private.
 
Back