Zerodium Offering a $1 Million iOS 9 Bug Bounty
Startup Zerodium challenges security researchers with the largest bug-bounty award ever: $1 million for a browser-based, untethered jailbreak against iOS 9.Bugs have value, especially when they can be chained together to create an exploit. Today, zero-day vulnerability acquisition vendor Zerodium is offering the highest bug bounty ever announced: a $1 million award for a browser-based, untethered jailbreak against Apple's new iOS 9 mobile operating system. Zerodium isn't just offering a single prize either, but rather is prepared to pay out a total of $3 million as part of its iOS 9 bug bounty. The offer, however, has a time limit, and researchers need to submit research by 6 p.m. on Halloween (Oct. 31). "iOS 9 is the most secure mobile operating system these days, and it's a pretty complex and long process to develop a full chain of exploits that can bypass the advanced mitigations in place," Chaouki Bekrar, founder of Zerodium, told eWEEK. "Hence, we believe that 1 million U.S. dollars is high enough to motivate many talented researchers to accept this highly technical challenge." To put the Zerodium iOS 9 bug bounty in financial perspective, according to bug-bounty platform vendor Bugcrowd, the average bug-bounty payout is only $200. Hewlett-Packard's Zero Day Initiative (ZDI) paid out a total of $557,500 at its Pwn2own contest in March, but that was across two days and for flaws in Google Chrome, Adobe Flash, Adobe Reader, Microsoft Internet Explorer 11 and Mozilla Firefox. The largest single payout at Pwn2own 2015 was $110,000 for Google Chrome vulnerabilities, discovered by security researcher JungHoon Lee, also known as lokihardt.
At Pwn2own and across the wider vulnerability landscape, WebKit is often a primary path to exploitation for Apple's operating systems. WebKit is the core rendering engine behind Apple's Safari Web browser. Google uses a forked version of WebKit, known as Blink, as the rendering engine behind Chrome.