Security firm is buying iOS 9 exploits for $1 million

By Scorpus ยท 7 replies
Sep 22, 2015
Post New Reply
  1. Zerodium, a startup that bills themselves as the "premium zero-day vulnerability and exploit acquisition program", are currently running a massive bug bounty program that is offering $1 million to developers who discover critical, exploitable flaws in iOS 9.

    The company is willing to pay a total of $3 million for three separate iOS 9 exploits; $1 million to each group of developers. However it's going to take a particularly serious exploit to claim the million dollar bounty, as Zerodium's requirements are lengthy and strict.

    The exploit in question must use an unknown flaw and lead to a "remote, privileged, and persistent installation of an arbitrary app", essentially making it an untethered jailbreak of iOS 9. On top of this, the flaw must be exploitable silently, reliably and remotely without any user interaction, with attacks originating through either a web page, SMS or MMS.

    The exploit must be delivered exclusively to Zerodium and must work on all iOS 9 devices newer than and including the iPhone 5 and 3rd-gen iPad. The program will run through to October 31st, although if three exploits are discovered before then, the program will end early.

    Zerodium doesn't state what the zero-day exploits will be used for, although the company lists its clients as major corporations "in need of advanced zero-day protection" as well as governments "in need of specific and tailored cybersecurity capabilities".

    It's most likely that these exploits will be packaged up for groups that require silent backdoor entry into iOS 9 devices, such as governments that want to tap into and spy on an iPhone user. These type exploits that remain unpatched and unknown to the public typically command high prices on the market, which is why Zerodium is offering such a large sum for iOS 9 exploits.

    Permalink to story.

  2. RzmmDX

    RzmmDX TS Guru Posts: 313   +67


    Screw looking for vulnerabilities ourselves! WE HAVE MONEY.
  3. Isn't that illegal? ...unless the government is doing it?
  4. jobeard

    jobeard TS Ambassador Posts: 11,155   +985

    Fraud, Extortion, Conspiracy to defraud, Solicitation to defraud, ....
  5. VitalyT

    VitalyT Russ-Puss Posts: 3,664   +1,949

    Publicly inspiring hackers to perfect their skills is quite immoral, and should be made illegal.
  6. Business Direct

    Business Direct TS Booster Posts: 44

    A government wanting unfettered access to something that has an expectation of privacy attached to it is what's (or should be) illegal guys. I find the creep putting a spycam in a bathroom a lot more gross than the guy that makes the camera.
  7. Hexic

    Hexic TS Maniac Posts: 333   +164

    There is no expectation of privacy when it comes to the internet/IoT. The sooner people realize that, the sooner this circular debate will end. Welcome to the real world.
  8. Business Direct

    Business Direct TS Booster Posts: 44

    That's silly. If you would have said that there is no expectation of privacy on social networks then sure but if I don't use them or any other "free" service then I expect that the contents of my locked and encrypted phone are private.
    jobeard likes this.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...