Bugs have value, especially when they can be chained together to create an exploit. Today, zero-day vulnerability acquisition vendor Zerodium is offering the highest bug bounty ever announced: a $1 million award for a browser-based, untethered jailbreak against Apple's new iOS 9 mobile operating system.
Zerodium isn't just offering a single prize either, but rather is prepared to pay out a total of $3 million as part of its iOS 9 bug bounty. The offer, however, has a time limit, and researchers need to submit research by 6 p.m. on Halloween (Oct. 31).
"iOS 9 is the most secure mobile operating system these days, and it's a pretty complex and long process to develop a full chain of exploits that can bypass the advanced mitigations in place," Chaouki Bekrar, founder of Zerodium, told eWEEK. "Hence, we believe that 1 million U.S. dollars is high enough to motivate many talented researchers to accept this highly technical challenge."
To put the Zerodium iOS 9 bug bounty in financial perspective, according to bug-bounty platform vendor Bugcrowd, the average bug-bounty payout is only $200. Hewlett-Packard's Zero Day Initiative (ZDI) paid out a total of $557,500 at its Pwn2own contest in March, but that was across two days and for flaws in Google Chrome, Adobe Flash, Adobe Reader, Microsoft Internet Explorer 11 and Mozilla Firefox. The largest single payout at Pwn2own 2015 was $110,000 for Google Chrome vulnerabilities, discovered by security researcher JungHoon Lee, also known as lokihardt.
At Pwn2own and across the wider vulnerability landscape, WebKit is often a primary path to exploitation for Apple's operating systems. WebKit is the core rendering engine behind Apple's Safari Web browser. Google uses a forked version of WebKit, known as Blink, as the rendering engine behind Chrome.
"We definitely expect to see Webkit/Blink as the primary targets for researchers to trigger the initial attack on iOS 9 as there are still many vulnerabilities affecting this component despite the efforts of Google and Apple," Bekrar said.
Zerodium is an independent, privately held company that started up in July. Bekrar explained that Zerodium follows a commercial disclosure policy and reports all acquired vulnerabilities to its clients. The Zerodium Security Research Feed (Z-SRF) is made available to Zerodium clients and includes security information about vulnerabilities as well as recommendations and protective measures.
"As of today, Zerodium has acquired various zero-day exploits mostly affecting Web browsers on Windows and Android, as well as Flash and Office exploits," Bekrar said. "We're currently spending between $400,000 to $600,000 per month for vulnerability acquisitions, and we expect to spend around one million U.S. dollars per month before the end of this year additionally to the iOS bug bounty."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.